Detect RC Scripts in Splunk
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Sub-technique
- T1037.004 RC Scripts
- Canonical reference
- https://attack.mitre.org/techniques/T1037/004/
SPL Detection Query
index=syslog OR index=linux_logs OR index=osquery sourcetype=syslog OR sourcetype=linux_secure OR sourcetype=auditd OR sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational"
| eval rc_script_write=0
| eval file_path=coalesce(file_path, FileName, filePath, path, "/")
| eval process_cmd=coalesce(CommandLine, command, cmd, process, "")
| eval user=coalesce(User, user, acct, uid, "unknown")
| eval host_name=coalesce(host, hostname, ComputerName, "unknown")
| eval rc_script_write=if(
match(file_path, "(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)") OR
match(process_cmd, "(/etc/rc\.local|/etc/rc\.common|/etc/rc\.d/|/etc/init\.d/|/etc/rc\.local\.d/|local\.sh)"),
1, 0)
| where rc_script_write=1
| eval suspicious_cmd=if(
match(process_cmd, "(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh).*>>"),
1, 0)
| eval binary_added=if(
match(process_cmd, "(/tmp/|/dev/shm/|/var/tmp/|/run/)"),
1, 0)
| eval risk_score=rc_script_write + suspicious_cmd + binary_added
| table _time, host_name, user, file_path, process_cmd, suspicious_cmd, binary_added, risk_score, sourcetype
| sort - _timeDetects RC script modification or creation events across Linux syslog, auditd, and osquery data sources. Identifies file paths matching known RC script locations (/etc/rc.local, /etc/rc.common, /etc/rc.d/, /etc/init.d/, /etc/rc.local.d/local.sh) and evaluates whether suspicious processes are writing to those paths. Assigns a risk score based on presence of append operators, temporary directory paths (common staging areas for malware binaries), and matching file paths.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators legitimately modifying rc.local to add startup services or mount points during system configuration
- Package managers (apt, yum, rpm) writing init.d scripts during legitimate software installation
- Configuration management tools (Ansible, Chef, Puppet, SaltStack) modifying RC scripts as part of automated provisioning
- Monitoring agents or security tools that add themselves to rc.local during installation
- ESXi administrators modifying local.sh to set persistent host configurations
Other platforms for T1037.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Entry to /etc/rc.local
Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.
- Test 2Create Persistent Backdoor via ESXi local.sh
Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.
- Test 3Add init.d Script for Persistence
Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.
- Test 4Write Binary Path from Temp Directory to rc.local
Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.
References (11)
- https://attack.mitre.org/techniques/T1037/004/
- https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
- https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
- https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
- http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md
- https://www.sygnia.co/blog/velvet-ant-f5-big-ip-zero-day-cve-2023-46747
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Unlock Pro Content
Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.