Description
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging /etc/rc.local.d/local.sh is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Limit privileges of user accounts so only authorized users can edit the rc.common file.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.(Cit... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has placed a bash installation script into `/etc/rc.local.d/` to establish persistence.(Citation: Goo... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has installed a run command on a compromised system to enable malware execution on system startup.(Cita... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0394 | HiddenWasp | Malware | [HiddenWasp](https://attack.mitre.org/software/S0394) installs reboot persistence by adding itself to <code>/etc/rc.local</code>.(Citation: Intezer Hi... |
| S0690 | Green Lambert | Malware | [Green Lambert](https://attack.mitre.org/software/S0690) can add <code>init.d</code> and <code>rc.d</code> files in the <code>/etc</code> folder to es... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) has the ability to execute on device startup, using a modified RC script named S51armled.(Cit... |
| S0278 | iKitten | Malware | [iKitten](https://attack.mitre.org/software/S0278) adds an entry to the rc.common file for persistence.(Citation: objsee mac malware 2017) |
References
- Apple. (2016, September 13). Daemons and Services Programming Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021.
- Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.
- Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.
- Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown. Retrieved February 23, 2021.
- Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
Frequently Asked Questions
What is T1037.004 (RC Scripts)?
T1037.004 is a MITRE ATT&CK technique named 'RC Scripts'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at start...
How can T1037.004 be detected?
Detection of T1037.004 (RC Scripts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1037.004?
There are 1 documented mitigations for T1037.004. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1037.004?
Known threat groups using T1037.004 include: Velvet Ant, UNC3886, APT29.