Technique on mitre.org

T1037.004: RC Scripts

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution. Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd. This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts. To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_persistence: PT-CR-444: Unix_Init_Script_Modify: Files executed on OS boot were changed

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed /etc/rc.local file

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for newly constructed /etc/rc.local file
DS0009	Process: Process Creation	Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.
DS0022	File: File Modification	Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory
DS0017	Command: Command Execution	Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Limit privileges of user accounts so only authorized users can edit the rc.common file.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Limit privileges of user accounts so only authorized users can edit the rc.common file.