The detection rule is designed to identify unauthorized modifications to Unix shell configuration files, such as `/etc/profile`, `.bashrc`, `.zshrc`, and similar files. These configurations are critical as they may include commands that execute when a new shell session starts. Adversaries can exploit these configuration files to establish persistence on a compromised system, executing malicious commands automatically when a user or an administrator opens a shell session. This type of attack falls under the MITRE ATT&CK technique T1546.004, which pertains to persistence strategies used by attackers. The rule utilizes the Linux `auditd` service to monitor specific shell configuration files for changes. It tracks a selection of paths that are commonly abused by attackers to inject malicious code. While implementing this rule, administrators should consider that legitimate administrative or user modifications may result in false positives, necessitating careful review during instances of triggered alerts. Regular reviews and audits are essential to mitigate the potential impact of overlooked malicious changes.