~/.profile and ~/.bashrc are shell scripts that contain shell commands.

~/.profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in, via username and password, to the console, either locally or remotely via something like SSH, the ~/.profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed.

These shell scripts are meant to be written by the local user to configure their environment. Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence.

While users may customize their ~/.bashrc and ~/.profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets or reaching out across the network when user profiles are loaded during the login process.

• checked profile files that will be modified if having permission
• the command format that will be placed in the checked profile files