RC scripts modified

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect modifications to RC script files (rc.local and rc.common).

Strategy

RC scripts allow system administrators to map and start custom services at startup for different run levels. Attackers can establish persistence by adding a malicious binary path or shell commands to rc.local or rc.common. Upon reboot, the system executes the file contents as root.

Triage and response

  1. Review and confirm the changes made to {{@file.path}} are a part of normal system administration.
  2. If these changes are unauthorized, roll back the host in question to a known good {{@file.path}}, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater.