Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Script Execution (DC0029) | linux:syslog | boot logs |
| Field | Description |
|---|---|
| script_path | Specific path of init script (e.g., /etc/rc.local, /etc/init.d/*) may vary by distribution |
| user_context | Root vs. non-root modification context depending on configuration |
| time_window | Tuning window for script creation or modification relative to system boot |
Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process events |
| File Creation (DC0039) | fs:fsusage | file activity |
| Field | Description |
|---|---|
| script_name | Name of script or LaunchDaemon plist is tunable across environments |
| event_interval | Time window between modification and reboot/login |
| file_permission | Permissions on modified RC files can vary between systems |
Detection of changes to /etc/rc.local.d/local.sh or rc.local during post-boot script execution with abnormal commands or additions.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:syslog | boot logs |
| File Modification (DC0061) | esxi:shell | admin command usage |
| Field | Description |
|---|---|
| script_section | Tunable script section edited by adversary (beginning, end, inline) |
| command_type | Nature of embedded command or payload affects detection scope |
| execution_trigger | Boot vs. manual script re-invocation |
Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | networkdevice:syslog | startup-config |
| Command Execution (DC0064) | networkdevice:syslog | system boot logs |
| Field | Description |
|---|---|
| firmware_family | Device type or OS determines specific init script location |
| config_line_pattern | Regex or pattern matching approach to detect suspicious CLI |
| reboot_time_window | Time window between config change and first boot post-modification |