Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries can establish persistence by adding a malicious binary path or shell commands to
rc.common, and other RC scripts specific to the Unix-like distribution. Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.  This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts. To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.
|M1022||Restrict File and Directory Permissions||
Limit privileges of user accounts so only authorized users can edit the rc.common file.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior
Monitor for newly constructed /etc/rc.local file
Monitor for changes made to files for unexpected modifications to RC scripts in the /etc/ directory
Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.