EXPLORE

← Back to Explore

T1037.004

RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats K...

macOSLinuxNetwork DevicesESXi

11

Detections

2

Sources

3

Threat Actors

BY SOURCE

10elastic1splunk_escu

PROCEDURES (8)

Service3 detections

Auto-extracted: 3 detections for service

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Startup1 detections

Auto-extracted: 1 detections for startup

Startup1 detections

Auto-extracted: 1 detections for startup

THREAT ACTORS (3)

APT29 UNC3886 Velvet Ant

DETECTIONS (11)

Executable Bit Set for Potential Persistence Script

GenAI Process Accessing Sensitive Files

Linux File Creation In Init Boot Directory

Pod or Container Creation with Suspicious Command-Line

Potential Execution of rc.local Script

Potential Persistence via File Modification

Potential Suspicious File Edit

rc.local/rc.common File Creation

Suspicious Network Activity to the Internet by Previously Unknown Executable

Suspicious rc.local Error Message

System V Init Script Created