RC scripts modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1037-boot-or-logon-initialization-scripts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications to RC script files (rc.local and rc.common).

Strategy

RC scripts allow system administrators to map and start custom services at startup for different run levels. Attackers can establish persistence by adding a malicious binary path or shell commands to rc.local or rc.common. Upon reboot, the system executes the file contents as root.

Triage and response

  1. Review and confirm the changes made to {{@file.path}} are a part of normal system administration.
  2. If these changes are unauthorized, roll back the host in question to a known good {{@file.path}}, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater.