title: RC Scripts (T1037.004)
id: df00tech-t1037-004
status: experimental
description: "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify. Adversaries may add malicious binary paths or shell commands to rc.local, rc.common, and other RC scripts. Upon reboot, the system executes the script's contents as root, resulting in persistence. This technique is especially effective on ESXi hypervisors, IoT devices, and embedded systems. Notable threat actors using this technique include HiddenWasp, UNC3886, APT29, Velvet Ant, Green Lambert, Cyclops Blink, and iKitten."
references:
  - https://attack.mitre.org/techniques/T1037/004/
  - https://df00tech.com/detections/T1037.004
author: df00tech
date: 2026/04/16
tags:
  - attack.t1037.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators legitimately modifying rc.local to add startup services or mount points during system configuration
  - "Package managers (apt, yum, rpm) writing init.d scripts during legitimate software installation"
  - "Configuration management tools (Ansible, Chef, Puppet, SaltStack) modifying RC scripts as part of automated provisioning"
  - Monitoring agents or security tools that add themselves to rc.local during installation
  - ESXi administrators modifying local.sh to set persistent host configurations
level: high