Boot or Logon Initialization Scripts: RC Scripts

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.[3]

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd. [4][5] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[6] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[7]

ID: T1037.004
Sub-technique of:  T1037
Platforms: Linux, macOS
Permissions Required: root
Version: 2.0
Created: 15 January 2020
Last Modified: 27 April 2021

Procedure Examples

ID Name Description
S0687 Cyclops Blink

Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.[8]

S0690 Green Lambert

Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.[9][10]

S0394 HiddenWasp

HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.[2]

S0278 iKitten

iKitten adds an entry to the rc.common file for persistence.[11]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
File Modification
DS0009 Process Process Creation

Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.

Monitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present.

References