Detect RC Scripts in CrowdStrike LogScale
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.004 RC Scripts
- Canonical reference
- https://attack.mitre.org/techniques/T1037/004/
LogScale Detection Query
// T1037.004 - RC Script Persistence Detection
// Detect file writes and process-based modifications to Unix RC startup scripts
#repo=base_sensor
#event_simpleName in ("FileOpenInfo", "FileWritten", "ProcessRollup2", "SyntheticProcessRollup2")
// --- Branch 1: File write events targeting RC script paths ---
| case {
#event_simpleName in ("FileWritten", "FileOpenInfo") AND
(
TargetFileName = /\/etc\/rc\.local$/ OR
TargetFileName = /\/etc\/rc\.common$/ OR
TargetFileName = /\/etc\/rc\.d\// OR
TargetFileName = /\/etc\/init\.d\// OR
TargetFileName = /\/etc\/rc\.local\.d\// OR
TargetFileName = /\/etc\/rc[0-6]\.d\// OR
TargetFileName = /rc\.local$/ OR
TargetFileName = /rc\.common$/ OR
TargetFileName = /local\.sh$/
)
| eval detection_branch = "FileWrite to RC Script"
| eval risk_level = "HIGH";
// --- Branch 2: Process writing to RC script via command line ---
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2") AND
(
CommandLine = /\/etc\/rc\.local/ OR
CommandLine = /\/etc\/rc\.d\// OR
CommandLine = /\/etc\/init\.d\// OR
CommandLine = /\/etc\/rc\.local\.d\//
) AND
CommandLine = /(echo|tee|cat|sed|awk|dd|wget|curl|python3?|perl|bash|sh)/ AND
CommandLine = />>/ AND
FileName in (
"bash", "sh", "dash", "zsh", "python", "python3",
"perl", "ruby", "curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
)
| eval detection_branch = "Process Writing to RC Script"
| eval risk_level = case(
CommandLine = /(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/)/, "CRITICAL",
true(), "HIGH"
);
true() | drop
}
| eval suspicious_staging = if(
CommandLine = /(\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/)/, "true", "false"
)
| groupBy(
[ComputerName, UserName, detection_branch, risk_level, suspicious_staging,
FileName, CommandLine, TargetFileName],
function=[
count(aid, as=event_count),
max(@timestamp, as=last_seen),
min(@timestamp, as=first_seen)
]
)
| sort last_seen descDetects RC script persistence using CrowdStrike Falcon sensor events for file writes to Unix RC startup script paths and ProcessRollup2 events where shells or download utilities use append redirects to write payloads into /etc/rc.local, /etc/rc.d/, /etc/init.d/, or /etc/rc.local.d/. Flags staging from temporary directories as CRITICAL.
Data Sources
Required Tables
False Positives & Tuning
- DevOps pipelines using bash scripts to register services in /etc/init.d/ on freshly provisioned Linux servers via automation frameworks
- Open-VM-Tools or vmware-tools installer writing ESXi persistence hooks to /etc/rc.local.d/local.sh during VM guest tool installation or upgrade
- Security posture management tools that read or checksum RC script contents as part of CIS benchmark compliance scanning
Other platforms for T1037.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Entry to /etc/rc.local
Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.
- Test 2Create Persistent Backdoor via ESXi local.sh
Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.
- Test 3Add init.d Script for Persistence
Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.
- Test 4Write Binary Path from Temp Directory to rc.local
Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.
References (11)
- https://attack.mitre.org/techniques/T1037/004/
- https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md
- https://www.sygnia.co/blog/velvet-ant-f5-big-ip-zero-day-cve-2023-46747
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Unlock Pro Content
Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.