ID | Name |
---|---|
T1037.001 | Logon Script (Windows) |
T1037.002 | Login Hook |
T1037.003 | Network Logon Script |
T1037.004 | RC Scripts |
T1037.005 | Startup Items |
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local
, rc.common
, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.[3]
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd. [4][5] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[6] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[7]
ID | Name | Description |
---|---|---|
S0687 | Cyclops Blink |
Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.[8] |
S0690 | Green Lambert |
Green Lambert can add |
S0394 | HiddenWasp |
HiddenWasp installs reboot persistence by adding itself to |
S0278 | iKitten |
iKitten adds an entry to the rc.common file for persistence.[11] |
ID | Mitigation | Description |
---|---|---|
M1022 | Restrict File and Directory Permissions |
Limit privileges of user accounts so only authorized users can edit the rc.common file. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
File Modification | ||
DS0009 | Process | Process Creation |
Monitor for unexpected changes to RC scripts in the /etc/
directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.
Monitor for /etc/rc.local
file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local
if present.