AN0658: Analytic 0658
Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.
Analyst context for executives and security teams
This analytic matters because Linux startup scripts can turn a one-time system change into recurring execution after reboot. For leaders, the practical risk is persistence on servers that may support critical applications, identity infrastructure, or operational services. The key decision is whether the organization can prove it monitors changes to legacy startup locations such as /etc/rc.local and /etc/init.d and can connect those changes to execution during system startup.
Executive priority
Prioritize this as a Linux resilience and incident-readiness control validation. Security leaders should ask which Linux systems still use these startup paths, whether file-change and process-start telemetry is retained, and whether SOC playbooks distinguish approved administrative startup changes from suspicious persistence. This is also useful audit evidence for change monitoring and host hardening where Linux servers are in scope.
Technical view
For Linux hosts, validate monitoring for newly created or modified /etc/rc.local and /etc/init.d scripts, then correlate those changes with execution during system startup. Because no ATT&CK tactics or official detection logic were supplied, treat this as a behavioral analytic requiring local baselining: authorized service scripts, configuration-management activity, package installation, and administrator maintenance can all create benign noise. IR teams should be able to identify the modifying user/process, file contents, permissions, timestamps, and the process tree observed at boot.
Likely telemetry
- Linux file creation and modification events for /etc/rc.local and /etc/init.d
- File metadata such as owner, permissions, hashes, and timestamps
- Process execution telemetry during system startup
- Parent/child process relationships for startup-launched scripts
- Authentication or user context associated with script modification
Detection direction
- Confirm coverage on Linux systems for both file modification and startup-time process execution; either source alone is weaker than correlation.
- Baseline legitimate /etc/init.d and /etc/rc.local activity, especially on older systems or systems managed by automation.
- Tune for newly created scripts, unexpected permission changes, unusual owners, or script execution that does not match approved service inventory.
- Investigate recent modifications followed by execution after reboot or service startup, with attention to the modifying process and account.
- Document blind spots where endpoint telemetry, file integrity monitoring, or boot-time process logging is absent.
Mitigation priorities
- Inventory Linux hosts that use /etc/rc.local or /etc/init.d startup mechanisms.
- Restrict write access to startup script locations to authorized administrators and managed automation.
- Use change control or file integrity monitoring for startup paths where supported by existing controls.
- Review and remove unnecessary legacy startup scripts to reduce monitoring noise and persistence opportunity.
- Ensure incident response procedures include collection of script contents, metadata, process lineage, and relevant change records.
Analyst notes and limits
The supplied object is a detection analytic for Linux focused on modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup. No relationships, tactics, aliases, or official detection query were provided, so the take emphasizes validation of telemetry and control coverage rather than a specific ATT&CK technique mapping.
This assessment is limited to the official STIX fields, the MITRE external reference, and the supplied relationship context. It does not establish active exploitation, adversary attribution, business impact, or guaranteed detection. Local Linux build standards, startup mechanisms, logging depth, and change-management practices are required to determine coverage and priority.
Analytic 0658
Detection of modified or newly created /etc/rc.local or /etc/init.d scripts followed by suspicious execution during system startup.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b72f9fcf52dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0658Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.