T1037.004 Sumo Logic CSE · Sumo

Detect RC Scripts in Sumo Logic CSE

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1037 Boot or Logon Initialization Scripts
Sub-technique
T1037.004 RC Scripts
Canonical reference
https://attack.mitre.org/techniques/T1037/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="linux/syslog" OR _sourceCategory="linux/auditd" OR _sourceCategory="linux/secure" OR _sourceCategory="osquery")
| parse field=_raw "*" as raw_message
| if (isNull(file_path), "/", file_path) as file_path
| if (isNull(process_cmd), "", process_cmd) as process_cmd
| if (isNull(user), if(isNull(acct), "unknown", acct), user) as user
| if (isNull(hostname), if(isNull(host), "unknown", host), hostname) as host_name
| where
    (
      file_path matches "/etc/rc.local*" OR
      file_path matches "/etc/rc.common*" OR
      file_path matches "/etc/rc.d/*" OR
      file_path matches "/etc/init.d/*" OR
      file_path matches "/etc/rc.local.d/*" OR
      file_path matches "*/rc0.d/*" OR
      file_path matches "*/rc1.d/*" OR
      file_path matches "*/rc2.d/*" OR
      file_path matches "*/rc3.d/*" OR
      file_path matches "*/rc4.d/*" OR
      file_path matches "*/rc5.d/*" OR
      file_path matches "*/rc6.d/*" OR
      file_path matches "*rc.local" OR
      file_path matches "*rc.common" OR
      file_path matches "*local.sh"
    )
    OR
    (
      (
        process_cmd matches "*/etc/rc.local*" OR
        process_cmd matches "*/etc/rc.d/*" OR
        process_cmd matches "*/etc/init.d/*" OR
        process_cmd matches "*/etc/rc.local.d/*"
      )
      AND
      (
        process_cmd matches "*echo*>>*" OR
        process_cmd matches "*tee*" OR
        process_cmd matches "*cat*>>*" OR
        process_cmd matches "*sed*-i*" OR
        process_cmd matches "*awk*"
      )
    )
| eval rc_file_modified = if(
    file_path matches "/etc/rc.local*" OR
    file_path matches "/etc/rc.d/*" OR
    file_path matches "/etc/init.d/*" OR
    file_path matches "/etc/rc.local.d/*",
    1, 0)
| eval suspicious_write = if(
    process_cmd matches "*(echo|tee|cat|sed|awk|dd|wget|curl|python|perl|bash|sh)*>>*",
    1, 0)
| eval temp_binary = if(
    process_cmd matches "*(/tmp/|/dev/shm/|/var/tmp/|/run/)*",
    1, 0)
| eval risk_score = rc_file_modified + suspicious_write + temp_binary
| table _messageTime, host_name, user, file_path, process_cmd, rc_file_modified, suspicious_write, temp_binary, risk_score, _sourceCategory
| sort by _messageTime desc
high severity medium confidence

Detects RC script persistence by monitoring Linux log sources for file modifications to RC startup script paths and suspicious process commands that append content to these scripts, with risk scoring for additional indicators like staging from temp directories.

Data Sources

Sumo Logic Linux syslog collectorSumo Logic auditd sourceSumo Logic OSQuery integrationSumo Logic Cloud SIEM (CSE) normalized Linux events

Required Tables

_sourceCategory=linux/syslog_sourceCategory=linux/auditd_sourceCategory=linux/secure_sourceCategory=osquery

False Positives & Tuning

  • System administrators using sed or echo to modify /etc/rc.local as part of documented change control for startup service configuration
  • Software packages that register services by appending startup commands to /etc/rc.local during installation (common on older RHEL/CentOS systems)
  • Security tools or EDR agents that inspect or read RC script contents as part of file integrity monitoring
Download portable Sigma rule (.yml)

Other platforms for T1037.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Malicious Entry to /etc/rc.local

    Expected signal: Auditd: syscall records for open()/write() on /etc/rc.local by the test user (root). Sysmon for Linux Event ID 11 (FileCreate) if deployed. Shell history: echo commands with /etc/rc.local in root's .bash_history. File modification timestamp change on /etc/rc.local visible via 'stat /etc/rc.local'.

  2. Test 2Create Persistent Backdoor via ESXi local.sh

    Expected signal: File creation/modification events for /etc/rc.local.d/local.sh. Process creation events for chmod, echo, cat commands with /etc/rc.local.d/ in command line. On actual ESXi: /var/log/shell.log entries for each command executed in the ESXi shell.

  3. Test 3Add init.d Script for Persistence

    Expected signal: File creation event for /etc/init.d/argus-test-service. Process creation events for cat, chmod commands. Shell history entries. If auditd is configured with watch on /etc/init.d/: syscall records for openat/write/chmod syscalls.

  4. Test 4Write Binary Path from Temp Directory to rc.local

    Expected signal: File creation events for /tmp/.argus_test_binary (hidden file in /tmp is suspicious). File modification event for /etc/rc.local. Process creation events for echo, chmod, cat commands. Auditd syscall records for both /tmp/ and /etc/rc.local file writes. The combination of hidden file in /tmp plus /etc/rc.local modification is a high-fidelity indicator.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1037.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1037Boot or Logon Initialization Scripts

Related Sub-techniques

T1037.001Logon Script (Windows)T1037.002Login HookT1037.003Network Logon ScriptT1037.005Startup Items

Related Techniques

T1037Boot or Logon Initialization ScriptsT1037.001Logon Script (Windows)T1037.003Network Logon ScriptT1543.002Systemd ServiceT1053.003CronT1059.004Unix ShellT1078Valid AccountsT1548.001Setuid and SetgidT1136.001Local AccountT1105Ingress Tool Transfer

Same Tactic: Persistence

Popular Detections