Detect RC Scripts in IBM QRadar
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.004 RC Scripts
- Canonical reference
- https://attack.mitre.org/techniques/T1037/004/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS event_category,
"HOSTNAME" AS host_name,
"FILEPATH" AS file_path,
"COMMAND" AS process_command,
LOGSOURCETYPENAME(devicetype) AS log_source_type,
CASE
WHEN REGEXP_MATCH(COALESCE("FILEPATH", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)')
THEN 'RC Script File Modified'
WHEN REGEXP_MATCH(COALESCE("COMMAND", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/)')
AND REGEXP_MATCH(COALESCE("COMMAND", ""), '(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh).*>>')
THEN 'Process Writing to RC Script Path'
ELSE 'RC Script Interaction'
END AS risk_reason,
CASE
WHEN REGEXP_MATCH(COALESCE("COMMAND", ""), '(/tmp/|/dev/shm/|/var/tmp/|/run/)')
THEN 'HIGH'
ELSE 'MEDIUM'
END AS risk_level
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 20, 40) -- Linux/Unix syslog, auditd, Linux OS
AND devicetime > (NOW() - 86400000)
AND (
REGEXP_MATCH(COALESCE("FILEPATH", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)')
OR
(
REGEXP_MATCH(COALESCE("COMMAND", ""), '(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/)')
AND REGEXP_MATCH(COALESCE("COMMAND", ""), '(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh)')
)
)
ORDER BY devicetime DESCDetects RC script persistence by querying Linux/Unix log sources for file modifications to RC script paths and process commands that write to startup script locations, with risk scoring for suspicious binary paths in temporary directories.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate system initialization scripts modified by the root user during planned OS patching or reconfiguration activities
- Software installers (e.g., VMware Tools, open-vm-tools) that write to /etc/rc.local.d/ on ESXi or Linux VMs as part of their setup
- Automated configuration management platforms writing init scripts during provisioning
Other platforms for T1037.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Entry to /etc/rc.local
Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.
- Test 2Create Persistent Backdoor via ESXi local.sh
Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.
- Test 3Add init.d Script for Persistence
Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.
- Test 4Write Binary Path from Temp Directory to rc.local
Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.
References (11)
- https://attack.mitre.org/techniques/T1037/004/
- https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md
- https://www.sygnia.co/blog/velvet-ant-f5-big-ip-zero-day-cve-2023-46747
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Unlock Pro Content
Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.