Boot or Logon Initialization Scripts: Rc.common

Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated mechanism in favor of Launch Agent and Launch Daemon but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. [2]

ID: T1037.004
Sub-technique of:  T1037
Tactics: Persistence, Privilege Escalation
Platforms: macOS
Permissions Required: root
Data Sources: File monitoring, Process monitoring
Version: 1.0
Created: 15 January 2020
Last Modified: 24 March 2020

Procedure Examples

Name Description
iKitten

iKitten adds an entry to the rc.common file for persistence.[3]

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Detection

The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.

References