1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Initialization Scripts
  5. RC Scripts

Boot or Logon Initialization Scripts: RC Scripts

ID Name
T1037.001 Logon Script (Windows)
T1037.002 Login Hook
T1037.003 Network Logon Script
T1037.004 RC Scripts
T1037.005 Startup Items

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.[3] As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging /etc/rc.local.d/local.sh is one of the few mechanisms for enabling persistence across reboots.[4]

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.[5][6] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[7] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[8]

ID: T1037.004
Sub-technique of:  T1037
Platforms: ESXi, Linux, Network Devices, macOS
Version: 2.2
Created: 15 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has installed a run command on a compromised system to enable malware execution on system startup.[9]
S0687 Cyclops Blink

Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.[10]
S0690 Green Lambert

Green Lambert can add init.d and rc.d files in the /etc folder to establish persistence.[11][12]

S0394 HiddenWasp

HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.[2]
S0278 iKitten

iKitten adds an entry to the rc.common file for persistence.[13]
G1048 UNC3886

UNC3886 has placed a bash installation script into /etc/rc.local.d/ to establish persistence.[14]
G1047 Velvet Ant

Velvet Ant used a modified /etc/rc.local file on compromised F5 BIG-IP devices to maintain persistence.[15]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts AN0658

Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.
AN0659

Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.
AN0660

Detection of changes to /etc/rc.local.d/local.sh or rc.local during post-boot script execution with abnormal commands or additions.
AN0661

Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.

References

  1. Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.
  2. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  3. Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.
  4. Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.
  5. Apple. (2016, September 13). Daemons and Services Programming Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021.
  6. Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.
  7. Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
  8. Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown. Retrieved February 23, 2021.
  1. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  2. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  3. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  4. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved November 17, 2024.
  5. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  6. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
  7. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.