Skip to content

DET0237 Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts

Item Value
ID DET0237
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1037.004 (RC Scripts)

Analytics

Linux

AN0658

Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Script Execution (DC0029) linux:syslog boot logs
Mutable Elements
Field Description
script_path Specific path of init script (e.g., /etc/rc.local, /etc/init.d/*) may vary by distribution
user_context Root vs. non-root modification context depending on configuration
time_window Tuning window for script creation or modification relative to system boot

macOS

AN0659

Detection of edits or additions to /etc/rc.common, /Library/StartupItems, or /System/Library/StartupItems and associated script execution during login or reboot.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process events
File Creation (DC0039) fs:fsusage file activity
Mutable Elements
Field Description
script_name Name of script or LaunchDaemon plist is tunable across environments
event_interval Time window between modification and reboot/login
file_permission Permissions on modified RC files can vary between systems

ESXi

AN0660

Detection of changes to /etc/rc.local.d/local.sh or rc.local during post-boot script execution with abnormal commands or additions.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:syslog boot logs
File Modification (DC0061) esxi:shell admin command usage
Mutable Elements
Field Description
script_section Tunable script section edited by adversary (beginning, end, inline)
command_type Nature of embedded command or payload affects detection scope
execution_trigger Boot vs. manual script re-invocation

Network Devices

AN0661

Detection of modified boot-time configuration scripts that persist malicious CLI commands across reboots.

Log Sources
Data Component Name Channel
File Modification (DC0061) networkdevice:syslog startup-config
Command Execution (DC0064) networkdevice:syslog system boot logs
Mutable Elements
Field Description
firmware_family Device type or OS determines specific init script location
config_line_pattern Regex or pattern matching approach to detect suspicious CLI
reboot_time_window Time window between config change and first boot post-modification