Rc.common

From enterprise
Jump to: navigation, search
Rc.common
Technique
ID T1163
Tactic Persistence
Platform Linux, MacOS, OS X
Permissions Required root
Data Sources File monitoring, Process Monitoring

During the boot process, macOS and Linux both execute source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts1. In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user2.

Mitigation

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Detection

The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.