Detect RC Scripts in Google Chronicle
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.004 RC Scripts
- Canonical reference
- https://attack.mitre.org/techniques/T1037/004/
YARA-L Detection Query
rule t1037_004_rc_script_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects RC script persistence via file modification or process-based writes to Unix startup script paths (T1037.004)"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1037.004"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1037/004/"
created = "2026-04-16"
events:
(
// File write to RC script paths
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
re.regex($e.target.file.full_path, `/etc/rc\.local`) or
re.regex($e.target.file.full_path, `/etc/rc\.common`) or
re.regex($e.target.file.full_path, `/etc/rc\.d/`) or
re.regex($e.target.file.full_path, `/etc/init\.d/`) or
re.regex($e.target.file.full_path, `/etc/rc\.local\.d/`) or
re.regex($e.target.file.full_path, `/etc/rc[0-6]\.d/`) or
$e.target.file.names = "rc.local" or
$e.target.file.names = "rc.common" or
$e.target.file.names = "local.sh"
)
) or
(
// Process writing to RC script paths via shell redirect or tee
$e.metadata.event_type = "PROCESS_LAUNCH" and
$e.principal.process.command_line != "" and
(
re.regex($e.principal.process.command_line, `/etc/rc\.local`) or
re.regex($e.principal.process.command_line, `/etc/rc\.d/`) or
re.regex($e.principal.process.command_line, `/etc/init\.d/`) or
re.regex($e.principal.process.command_line, `/etc/rc\.local\.d/`)
) and
re.regex($e.principal.process.command_line, `(echo|tee|cat|sed|awk|dd|wget|curl|python3?|perl|bash|sh)`) and
re.regex($e.principal.process.command_line, `>>`) and
$e.principal.process.file.names in (
"bash", "sh", "dash", "zsh", "python", "python3",
"perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting RC script persistence via UDM file creation/modification events on RC startup paths and process launch events where suspicious tools write content to /etc/rc.local, /etc/rc.d/, /etc/init.d/, or /etc/rc.local.d/.
Data Sources
Required Tables
False Positives & Tuning
- Automated patching pipelines that update service startup scripts in /etc/init.d/ as part of configuration drift remediation
- VMware or cloud-init tooling that writes to /etc/rc.local.d/local.sh on hypervisor guests or cloud VMs during first-boot provisioning
- Linux security baseline scripts that read and audit RC script contents without writing to them (may generate PROCESS_LAUNCH events)
Other platforms for T1037.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Entry to /etc/rc.local
Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.
- Test 2Create Persistent Backdoor via ESXi local.sh
Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.
- Test 3Add init.d Script for Persistence
Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.
- Test 4Write Binary Path from Temp Directory to rc.local
Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.
References (11)
- https://attack.mitre.org/techniques/T1037/004/
- https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md
- https://www.sygnia.co/blog/velvet-ant-f5-big-ip-zero-day-cve-2023-46747
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Unlock Pro Content
Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.