# Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example when a user opens a command-line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user's home directory (\~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user's environment. When the shell exits or terminate additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands in to scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files. These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into \~/.bash\_profile, \~/.bash\_login, or \~/.profile which are sourced when a user opens a command-line interface or connects remotely. Since the system inly executes the first existing file in the listed order, adversaries have used \~/.bash\_profile to ensure execution. Adversaries have also used \~/.bashrc files which is additionally executed if the connection is established remotely or an additional interactive shell is opened.

In the following example my Ubuntu distribution contains the bashrc file so I won't modify any other existing one, you can see below that adding such techniques are easy to follow

<figure><img src="/files/kHIZXpEJEhVlDv80jj0e" alt=""><figcaption></figcaption></figure>

The moment the user opens an interactive shell it will pop open the calculator as well

<figure><img src="/files/w4lJJmyR5e3kQ4djcAsB" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1546-event-triggered-execution/unix-shell-configuration-modification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.