Goal

Detect modifications to RC script files (rc.local and rc.common).

Strategy

RC scripts allow system administrators to map and start custom services at startup for different run levels. Attackers can establish persistence by adding a malicious binary path or shell commands to rc.local or rc.common. Upon reboot, the system executes the file contents as root.

Triage and response

1. Review and confirm the changes made to {{@file.path}} are a part of normal system administration.
2. If these changes are unauthorized, roll back the host in question to a known good {{@file.path}}, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater.