JUST RELEASED: ATT&CK for Industrial Control Systems

Rc.common

During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user [2].

ID: T1163
Tactic: Persistence
Platform: macOS
Permissions Required: root
Data Sources: File monitoring, Process monitoring
Version: 1.0
Created: 14 December 2017
Last Modified: 18 July 2019

Procedure Examples

Name Description
iKitten

iKitten adds an entry to the rc.common file for persistence.[3]

Mitigations

Mitigation Description
User Account Management

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Detection

The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.

References