Boot or Logon Initialization Scripts: Rc.common
Other sub-techniques of Boot or Logon Initialization Scripts (5)
ID | Name |
---|---|
T1037.001 | Logon Script (Windows) |
T1037.002 | Logon Script (Mac) |
T1037.003 | Network Logon Script |
T1037.004 | Rc.common |
T1037.005 | Startup Items |
Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common
, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated mechanism in favor of Launch Agent and Launch Daemon but is currently still used.
Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. [2]
Procedure Examples
Name | Description |
---|---|
iKitten |
iKitten adds an entry to the rc.common file for persistence.[3] |
Mitigations
Mitigation | Description |
---|---|
Restrict File and Directory Permissions |
Limit privileges of user accounts so only authorized users can edit the rc.common file. |
Detection
The /etc/rc.common
file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.