T1037.004 Elastic Security · Elastic

Detect RC Scripts in Elastic Security

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.004 RC Scripts
Canonical reference
https://attack.mitre.org/techniques/T1037/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
(
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    (
      file.path like~ "/etc/rc.local" or
      file.path like~ "/etc/rc.common" or
      file.path like~ "/etc/rc.d/*" or
      file.path like~ "/etc/init.d/*" or
      file.path like~ "/etc/rc.local.d/*" or
      file.path like~ "/etc/rc0.d/*" or
      file.path like~ "/etc/rc1.d/*" or
      file.path like~ "/etc/rc2.d/*" or
      file.path like~ "/etc/rc3.d/*" or
      file.path like~ "/etc/rc4.d/*" or
      file.path like~ "/etc/rc5.d/*" or
      file.path like~ "/etc/rc6.d/*" or
      file.name in ("rc.local", "rc.common", "local.sh")
    )
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name in ("bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd") and
    (
      process.args like~ "*/etc/rc.local*" or
      process.args like~ "*/etc/rc.common*" or
      process.args like~ "*/etc/rc.d/*" or
      process.args like~ "*/etc/init.d/*" or
      process.args like~ "*/etc/rc.local.d/*"
    ) and
    (
      process.args : "echo" or process.args : "tee" or process.args : "cat" or
      process.args : "sed" or process.args : "awk" or process.args : ">>"
    )
  )
)
high severity high confidence

Detects RC script persistence via file creation/modification events in /etc/rc.local, /etc/rc.d/, and related directories, as well as process-based writes using shells, interpreters, or download tools targeting these paths.

Data Sources

Elastic Endpoint SecurityAuditbeat (file_integrity module)Filebeat (auditd module)OSQuery logs via Elastic Agent

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*auditbeat-*

False Positives & Tuning

  • System administrators legitimately editing /etc/rc.local or /etc/init.d/ scripts during maintenance windows or software deployments
  • Package managers (apt, yum, dpkg) creating or modifying init.d service scripts as part of software installation
  • Configuration management tools (Ansible, Puppet, Chef, SaltStack) writing startup scripts as part of automated provisioning workflows
Download portable Sigma rule (.yml)

Other platforms for T1037.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Malicious Entry to /etc/rc.local

    Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.

  2. Test 2Create Persistent Backdoor via ESXi local.sh

    Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.

  3. Test 3Add init.d Script for Persistence

    Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.

  4. Test 4Write Binary Path from Temp Directory to rc.local

    Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.005Startup Items

Related Techniques

T1037Boot or Logon Initialization ScriptsT1037.001Logon Script (Windows)T1037.003Network Logon ScriptT1543.002Systemd ServiceT1053.003CronT1059.004Unix ShellT1078Valid AccountsT1548.001Setuid and SetgidT1136.001Local AccountT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections