Detect RC Scripts in Microsoft Sentinel
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.004 RC Scripts
- Canonical reference
- https://attack.mitre.org/techniques/T1037/004/
KQL Detection Query
let RCScriptPaths = dynamic([
"/etc/rc.local",
"/etc/rc.common",
"/etc/rc.d/",
"/etc/init.d/",
"/etc/rc.local.d/",
"/etc/rc.local.d/local.sh",
"/etc/rc0.d/",
"/etc/rc1.d/",
"/etc/rc2.d/",
"/etc/rc3.d/",
"/etc/rc4.d/",
"/etc/rc5.d/",
"/etc/rc6.d/"
]);
let SuspiciousWriteProcesses = dynamic([
"bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby",
"curl", "wget", "nc", "netcat", "ncat", "tee", "dd"
]);
union
(
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (RCScriptPaths) or FileName in ("rc.local", "rc.common", "local.sh")
| extend RiskReason = "RC script file created or modified"
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (RCScriptPaths)
| where ProcessCommandLine has_any ("echo", "tee", "cat", "sed", "awk", ">>")
| where FileName has_any (SuspiciousWriteProcesses)
| extend RiskReason = "Process writing to RC script path"
)
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ProcessCommandLine, RiskReason
| sort by Timestamp descDetects creation or modification of RC startup script files (/etc/rc.local, /etc/rc.common, /etc/rc.local.d/local.sh, /etc/rc.d/, /etc/init.d/) that could indicate adversary persistence via T1037.004. Uses DeviceFileEvents to catch direct file writes and DeviceProcessEvents to catch shell commands redirecting content into RC script paths. Covers both Linux and macOS (older versions) as well as ESXi rc.local.d paths.
Data Sources
Required Tables
False Positives & Tuning
- System administrators legitimately modifying rc.local to add startup services or mount points during system configuration
- Package managers (apt, yum, rpm) writing init.d scripts during legitimate software installation
- Configuration management tools (Ansible, Chef, Puppet, SaltStack) modifying RC scripts as part of automated provisioning
- Monitoring agents or security tools that add themselves to rc.local during installation
- ESXi administrators modifying local.sh to set persistent host configurations
Other platforms for T1037.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Entry to /etc/rc.local
Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.
- Test 2Create Persistent Backdoor via ESXi local.sh
Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.
- Test 3Add init.d Script for Persistence
Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.
- Test 4Write Binary Path from Temp Directory to rc.local
Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.
References (11)
- https://attack.mitre.org/techniques/T1037/004/
- https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md
- https://www.sygnia.co/blog/velvet-ant-f5-big-ip-zero-day-cve-2023-46747
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Unlock Pro Content
Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.