Shell rc / profile audit ~/.bashrc / .zshrc / .profile / fish / nushell init-file deep audit (SH1-SH7).
Shell rc / profile / login files are a top-tier persistence +
injection surface — a single line in ~/.bashrc fires
on every new terminal. The existing TrapDoor detector matches
specific campaign markers in known rc files; this auditor adds
the general malicious-pattern audit modeled on
systemd_audit and
macos_launchd.
Files captured (collector shell.profile)
Per-user under HOME:
.bashrc/.bash_profile/.bash_login/.bash_logout.profile.zshrc/.zprofile/.zlogin/.zshenv/.zlogout.kshrc/.cshrc/.tcshrc/.inputrc.config/zsh/.zshrc+.zshenv+.zprofile.config/fish/config.fish+conf.d/*.fish+functions/*.fish.config/nu/{config,env}.nu+.config/nushell/{config,env}.nu
System-wide:
/etc/bash.bashrc//etc/bash_completion/etc/profile//etc/profile.d/*.sh/etc/zshrc//etc/zprofile//etc/zshenv/etc/csh.cshrc//etc/csh.login
Per-file read cap: 256 KiB. _infer_shell() classifies
the flavor (zsh / bash / fish / nushell / sh fallback).
Detection layers (SH1–SH7)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| SH1 | high → critical | Network-fetch in rc (curl/wget/nc/socat/python-socket). Init fires on every new terminal — the fetch runs constantly. Critical for pipe-to-shell. | T1546.004 |
| SH2 | medium | Long base64 / escaped-hex sequence. Sometimes legit (vendored completion scripts); often a hidden one-liner. | T1027 |
| SH3 | high | PATH prepended with writable head. Bash/zsh export PATH=...:$PATH AND fish set -gx PATH ... $PATH syntaxes. GTFOBins-style path hijack. | T1574.007 |
| SH4 | high | Alias hijack of security-critical command (sudo / ssh / git / docker / kubectl / curl / ls / cd / rm / etc). Credential-theft + command-substitution primitive. | T1546.004 |
| SH5 | medium | trap / PROMPT_COMMAND / precmd / preexec / chpwd / add-zsh-hook. Legit users exist (oh-my-zsh, starship) but also a keystroke-injection primitive. | T1546 |
| SH6 | high | source / . from writable path. /tmp, /Users/Shared, /home, /root, /.cache, /.config, Downloads + relative paths. | T1546.004 |
| SH7 | critical | LD_PRELOAD / LD_AUDIT / DYLD_INSERT_LIBRARIES / DYLD_LIBRARY_PATH / LD_LIBRARY_PATH export. Symbiote / Cuttlefish / FontOnLake user-mode rootkit primitive. | T1574.006 |
No new CLI needed
The shell-profile collector is registered in the common
collectors group and runs as part of digger collect;
the detector runs at digger scan time.