Register to stream ATT&CKcon 2.0 October 29-30

Rc.common

During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user [2].

ID: T1163
Tactic: Persistence
Platform: macOS
Permissions Required: root
Data Sources: File monitoring, Process monitoring
Version: 1.0

Mitigations

Mitigation Description
User Account Management Limit privileges of user accounts so only authorized users can edit the rc.common file.

Examples

Name Description
iKitten iKitten adds an entry to the rc.common file for persistence. [3]

Detection

The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.

References