This detection rule monitors modifications to Unix shell configuration files, which adversaries may exploit for persistence by embedding malicious commands within scripts like /etc/profile, ~/.bash_profile, or others that execute during command-line sessions. These modifications often occur silently and could be performed using benign commands (e.g., `echo`, `vi`, or `nano`). If accomplished, such actions can enable an adversary to automatically run malicious payloads whenever a user logs into their shell environment. The rule uses a SQL-like query to capture events from the CrowdStrike Falcon Data Replicator (FDR) concerning processes that match specific patterns indicative of script alterations or suspicious command execution. It aims to reduce the risk of persistent threats by identifying these modifications early on. The capturing event time is restricted to the past two hours and looks specifically for Linux and macOS platforms, enhancing detection efficacy for potential malfeasance involving user shell configurations. Additionally, capturing bash history when such modifications occur can provide further analytical insight for threat detection and response teams.