T1037.004

RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.

Microsoft Sentinel / Defender

kusto

let RCScriptPaths = dynamic([
  "/etc/rc.local",
  "/etc/rc.common",
  "/etc/rc.d/",
  "/etc/init.d/",
  "/etc/rc.local.d/",
  "/etc/rc.local.d/local.sh",
  "/etc/rc0.d/",
  "/etc/rc1.d/",
  "/etc/rc2.d/",
  "/etc/rc3.d/",
  "/etc/rc4.d/",
  "/etc/rc5.d/",
  "/etc/rc6.d/"
]);
let SuspiciousWriteProcesses = dynamic([
  "bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby",
  "curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
]);
union
(
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where ActionType in ("FileCreated", "FileModified")
  | where FolderPath has_any (RCScriptPaths) or FileName in ("rc.local", "rc.common", "local.sh")
  | extend RiskReason = "RC script file created or modified"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any (RCScriptPaths)
  | where ProcessCommandLine has_any ("echo", "tee", "cat", "sed", "awk", ">>")
  | where FileName has_any (SuspiciousWriteProcesses)
  | extend RiskReason = "Process writing to RC script path"
)
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ProcessCommandLine, RiskReason
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

System administrators legitimately modifying rc.local to add startup services or mount points during system configuration
Package managers (apt, yum, rpm) writing init.d scripts during legitimate software installation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) modifying RC scripts as part of automated provisioning
Monitoring agents or security tools that add themselves to rc.local during installation
ESXi administrators modifying local.sh to set persistent host configurations

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    (
      file.path like~ "/etc/rc.local" or
      file.path like~ "/etc/rc.common" or
      file.path like~ "/etc/rc.d/*" or
      file.path like~ "/etc/init.d/*" or
      file.path like~ "/etc/rc.local.d/*" or
      file.path like~ "/etc/rc0.d/*" or
      file.path like~ "/etc/rc1.d/*" or
      file.path like~ "/etc/rc2.d/*" or
      file.path like~ "/etc/rc3.d/*" or
      file.path like~ "/etc/rc4.d/*" or
      file.path like~ "/etc/rc5.d/*" or
      file.path like~ "/etc/rc6.d/*" or
      file.name in ("rc.local", "rc.common", "local.sh")
    )
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name in ("bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd") and
    (
      process.args like~ "*/etc/rc.local*" or
      process.args like~ "*/etc/rc.common*" or
      process.args like~ "*/etc/rc.d/*" or
      process.args like~ "*/etc/init.d/*" or
      process.args like~ "*/etc/rc.local.d/*"
    ) and
    (
      process.args : "echo" or process.args : "tee" or process.args : "cat" or
      process.args : "sed" or process.args : "awk" or process.args : ">>"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (file_integrity module) Filebeat (auditd module) OSQuery logs via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-*

False Positives

System administrators legitimately editing /etc/rc.local or /etc/init.d/ scripts during maintenance windows or software deployments
Package managers (apt, yum, dpkg) creating or modifying init.d service scripts as part of software installation
Configuration management tools (Ansible, Puppet, Chef, SaltStack) writing startup scripts as part of automated provisioning workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "HOSTNAME" AS host_name,
  "FILEPATH" AS file_path,
  "COMMAND" AS process_command,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  CASE
    WHEN REGEXP_MATCH(COALESCE("FILEPATH", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)')
      THEN 'RC Script File Modified'
    WHEN REGEXP_MATCH(COALESCE("COMMAND", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/)')
      AND REGEXP_MATCH(COALESCE("COMMAND", ""), '(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh).*>>')
      THEN 'Process Writing to RC Script Path'
    ELSE 'RC Script Interaction'
  END AS risk_reason,
  CASE
    WHEN REGEXP_MATCH(COALESCE("COMMAND", ""), '(/tmp/|/dev/shm/|/var/tmp/|/run/)')
      THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS risk_level
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 20, 40) -- Linux/Unix syslog, auditd, Linux OS
  AND devicetime > (NOW() - 86400000)
  AND (
    REGEXP_MATCH(COALESCE("FILEPATH", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)')
    OR
    (
      REGEXP_MATCH(COALESCE("COMMAND", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/)')
      AND REGEXP_MATCH(COALESCE("COMMAND", ""), '(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh)')
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Linux syslog (QRadar DSM) Unix auditd log source Linux OS QRadar DSM OSSEC/Wazuh forwarded to QRadar

Required Tables

events

False Positives

Legitimate system initialization scripts modified by the root user during planned OS patching or reconfiguration activities
Software installers (e.g., VMware Tools, open-vm-tools) that write to /etc/rc.local.d/ on ESXi or Linux VMs as part of their setup
Automated configuration management platforms writing init scripts during provisioning

Sumo Logic CSE

sql

(_sourceCategory="linux/syslog" OR _sourceCategory="linux/auditd" OR _sourceCategory="linux/secure" OR _sourceCategory="osquery")
| parse field=_raw "*" as raw_message
| if (isNull(file_path), "/", file_path) as file_path
| if (isNull(process_cmd), "", process_cmd) as process_cmd
| if (isNull(user), if(isNull(acct), "unknown", acct), user) as user
| if (isNull(hostname), if(isNull(host), "unknown", host), hostname) as host_name
| where
    (
      file_path matches "/etc/rc.local*" OR
      file_path matches "/etc/rc.common*" OR
      file_path matches "/etc/rc.d/*" OR
      file_path matches "/etc/init.d/*" OR
      file_path matches "/etc/rc.local.d/*" OR
      file_path matches "*/rc0.d/*" OR
      file_path matches "*/rc1.d/*" OR
      file_path matches "*/rc2.d/*" OR
      file_path matches "*/rc3.d/*" OR
      file_path matches "*/rc4.d/*" OR
      file_path matches "*/rc5.d/*" OR
      file_path matches "*/rc6.d/*" OR
      file_path matches "*rc.local" OR
      file_path matches "*rc.common" OR
      file_path matches "*local.sh"
    )
    OR
    (
      (
        process_cmd matches "*/etc/rc.local*" OR
        process_cmd matches "*/etc/rc.d/*" OR
        process_cmd matches "*/etc/init.d/*" OR
        process_cmd matches "*/etc/rc.local.d/*"
      )
      AND
      (
        process_cmd matches "*echo*>>*" OR
        process_cmd matches "*tee*" OR
        process_cmd matches "*cat*>>*" OR
        process_cmd matches "*sed*-i*" OR
        process_cmd matches "*awk*"
      )
    )
| eval rc_file_modified = if(
    file_path matches "/etc/rc.local*" OR
    file_path matches "/etc/rc.d/*" OR
    file_path matches "/etc/init.d/*" OR
    file_path matches "/etc/rc.local.d/*",
    1, 0)
| eval suspicious_write = if(
    process_cmd matches "*(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh)*>>*",
    1, 0)
| eval temp_binary = if(
    process_cmd matches "*(/tmp/|/dev/shm/|/var/tmp/|/run/)*",
    1, 0)
| eval risk_score = rc_file_modified + suspicious_write + temp_binary
| table _messageTime, host_name, user, file_path, process_cmd, rc_file_modified, suspicious_write, temp_binary, risk_score, _sourceCategory
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Linux syslog collector Sumo Logic auditd source Sumo Logic OSQuery integration Sumo Logic Cloud SIEM (CSE) normalized Linux events

Required Tables

_sourceCategory=linux/syslog _sourceCategory=linux/auditd _sourceCategory=linux/secure _sourceCategory=osquery

False Positives

System administrators using sed or echo to modify /etc/rc.local as part of documented change control for startup service configuration
Software packages that register services by appending startup commands to /etc/rc.local during installation (common on older RHEL/CentOS systems)
Security tools or EDR agents that inspect or read RC script contents as part of file integrity monitoring

Google Chronicle / SecOps

yaral

rule t1037_004_rc_script_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects RC script persistence via file modification or process-based writes to Unix startup script paths (T1037.004)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037.004"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1037/004/"
    created = "2026-04-16"

  events:
    (
      // File write to RC script paths
      (
        $e.metadata.event_type = "FILE_CREATION" or
        $e.metadata.event_type = "FILE_MODIFICATION"
      ) and
      (
        re.regex($e.target.file.full_path, `/etc/rc\.local`) or
        re.regex($e.target.file.full_path, `/etc/rc\.common`) or
        re.regex($e.target.file.full_path, `/etc/rc\.d/`) or
        re.regex($e.target.file.full_path, `/etc/init\.d/`) or
        re.regex($e.target.file.full_path, `/etc/rc\.local\.d/`) or
        re.regex($e.target.file.full_path, `/etc/rc[0-6]\.d/`) or
        $e.target.file.names = "rc.local" or
        $e.target.file.names = "rc.common" or
        $e.target.file.names = "local.sh"
      )
    ) or
    (
      // Process writing to RC script paths via shell redirect or tee
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      $e.principal.process.command_line != "" and
      (
        re.regex($e.principal.process.command_line, `/etc/rc\.local`) or
        re.regex($e.principal.process.command_line, `/etc/rc\.d/`) or
        re.regex($e.principal.process.command_line, `/etc/init\.d/`) or
        re.regex($e.principal.process.command_line, `/etc/rc\.local\.d/`)
      ) and
      re.regex($e.principal.process.command_line, `(echo|tee|cat|sed|awk|dd|wget|curl|python3?|perl|bash|sh)`) and
      re.regex($e.principal.process.command_line, `>>`) and
      $e.principal.process.file.names in (
        "bash", "sh", "dash", "zsh", "python", "python3",
        "perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Forwarder (Linux syslog/auditd) Chronicle OSSEC/Wazuh integration Chronicle CrowdStrike Falcon connector

Required Tables

UDM events (FILE_CREATION, FILE_MODIFICATION, PROCESS_LAUNCH)

False Positives

Automated patching pipelines that update service startup scripts in /etc/init.d/ as part of configuration drift remediation
VMware or cloud-init tooling that writes to /etc/rc.local.d/local.sh on hypervisor guests or cloud VMs during first-boot provisioning
Linux security baseline scripts that read and audit RC script contents without writing to them (may generate PROCESS_LAUNCH events)

CrowdStrike LogScale (CQL)

cql

// T1037.004 - RC Script Persistence Detection
// Detect file writes and process-based modifications to Unix RC startup scripts

#repo=base_sensor
#event_simpleName in ("FileOpenInfo", "FileWritten", "ProcessRollup2", "SyntheticProcessRollup2")

// --- Branch 1: File write events targeting RC script paths ---
| case {
    #event_simpleName in ("FileWritten", "FileOpenInfo") AND
    (
      TargetFileName = /\/etc\/rc\.local$/ OR
      TargetFileName = /\/etc\/rc\.common$/ OR
      TargetFileName = /\/etc\/rc\.d\// OR
      TargetFileName = /\/etc\/init\.d\// OR
      TargetFileName = /\/etc\/rc\.local\.d\// OR
      TargetFileName = /\/etc\/rc[0-6]\.d\// OR
      TargetFileName = /rc\.local$/ OR
      TargetFileName = /rc\.common$/ OR
      TargetFileName = /local\.sh$/
    )
      | eval detection_branch = "FileWrite to RC Script"
      | eval risk_level = "HIGH";

    // --- Branch 2: Process writing to RC script via command line ---
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2") AND
    (
      CommandLine = /\/etc\/rc\.local/ OR
      CommandLine = /\/etc\/rc\.d\// OR
      CommandLine = /\/etc\/init\.d\// OR
      CommandLine = /\/etc\/rc\.local\.d\//
    ) AND
    CommandLine = /(echo|tee|cat|sed|awk|dd|wget|curl|python3?|perl|bash|sh)/ AND
    CommandLine = />>/ AND
    FileName in (
      "bash", "sh", "dash", "zsh", "python", "python3",
      "perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
    )
      | eval detection_branch = "Process Writing to RC Script"
      | eval risk_level = case(
          CommandLine = /(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/)/, "CRITICAL",
          true(), "HIGH"
        );

    true() | drop
  }

| eval suspicious_staging = if(
    CommandLine = /(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/)/, "true", "false"
  )

| groupBy(
    [ComputerName, UserName, detection_branch, risk_level, suspicious_staging,
     FileName, CommandLine, TargetFileName],
    function=[
      count(aid, as=event_count),
      max(@timestamp, as=last_seen),
      min(@timestamp, as=first_seen)
    ]
  )

| sort last_seen desc

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Linux agent) Falcon FileWritten events Falcon ProcessRollup2 events Falcon FileOpenInfo events

Required Tables

base_sensor (FileWritten, FileOpenInfo, ProcessRollup2, SyntheticProcessRollup2)

False Positives

DevOps pipelines using bash scripts to register services in /etc/init.d/ on freshly provisioned Linux servers via automation frameworks
Open-VM-Tools or vmware-tools installer writing ESXi persistence hooks to /etc/rc.local.d/local.sh during VM guest tool installation or upgrade
Security posture management tools that read or checksum RC script contents as part of CIS benchmark compliance scanning

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login Hook T1037.003Network Logon Script T1037.005Startup Items

RC Scripts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections