Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0237: Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts

DET0237 is a MITRE detection strategy object for detecting ATT&CK technique T1037.004, RC Scripts. The business issue is persistence: on Unix-like systems,...

EnterpriseDET0237Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0237 is a MITRE detection strategy object for detecting ATT&CK technique T1037.004, RC Scripts. The business issue is persistence: on Unix-like systems, startup scripts can cause attacker-controlled commands or binaries to run after reboot or logon initialization, helping access survive routine recovery actions. Because the related technique requires root-level modification, evidence around these files can also inform privilege-escalation investigations and post-incident scoping.

Executive priority

Treat this as a control-validation item for resilience on Linux, macOS, network devices, and ESXi where RC-style startup scripts exist. Leaders should ask whether the organization can prove who changed startup scripts, when they changed, and whether those changes are authorized. This matters for incident response confidence, audit evidence around privileged administration, and recovery planning because persistence in startup paths can survive reboots and undermine containment if not checked.

Technical view

The supplied detection-strategy object has no official detection text or platforms of its own, but it detects T1037.004, RC Scripts, which is associated with persistence and privilege escalation on macOS, Linux, Network Devices, and ESXi. SOC and IR teams should validate monitoring around creation, modification, permission changes, and content changes to rc.local, rc.common, and distribution- or appliance-specific RC scripts. Detection engineering should focus on distinguishing approved administrative startup configuration from unexpected additions of binary paths or shell commands, especially changes made by privileged accounts outside maintenance windows.

Likely telemetry

  • File integrity or file modification events for RC script paths such as rc.local, rc.common, and platform-specific startup script locations
  • Privileged account activity associated with editing or replacing startup scripts
  • Process execution telemetry showing editors, shell commands, or administrative tools modifying startup initialization files
  • Authentication and session logs for root or sudo-level activity preceding RC script changes
  • Configuration management or change-control records to compare approved startup script changes against observed changes

Detection direction

  • Inventory which in-scope systems actually use RC scripts; the parent detection object does not specify platforms, so coverage should be driven by the related technique platforms and local architecture.
  • Baseline legitimate RC script contents and approved owners, then alert on unexpected content additions, ownership changes, permission changes, or replacement of these files.
  • Tune detections against known configuration-management activity and scheduled maintenance to reduce false positives from legitimate administrators.
  • Prioritize alerts where RC script modification is paired with privileged authentication, sudo/root activity, or execution of newly referenced binaries or shell commands.
  • During incident response, check RC scripts as part of persistence review before declaring containment complete, especially after reboots or credential resets.

Mitigation priorities

  • Restrict write access to RC scripts to authorized privileged administrators only.
  • Use change control and configuration management to maintain known-good startup script contents.
  • Collect and retain file-change and privileged activity logs from systems where RC scripts are present.
  • Periodically review startup scripts for unauthorized commands, binary paths, ownership, or permissions.
  • Include RC script validation in Linux, macOS, network device, and ESXi hardening and incident recovery checklists where applicable.
Analyst notes and limits

This Glexia take is based on the supplied MITRE detection strategy DET0237 and its relationship to T1037.004 RC Scripts. The value is primarily in validating defensive coverage for a known persistence and privilege-escalation behavior rather than interpreting detailed detection logic, because the official detection and description fields for DET0237 were not provided.

The detection-strategy object itself lists no official description, detection text, platforms, or tactics. Platform and tactic context comes only from the supplied relationship to T1037.004. Local path names, logging sources, and legitimate administrative patterns must be confirmed in the customer environment before implementing or scoring coverage.

Official MITRE ATT&CK definition

Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1037.004 RC Scripts Sub-technique This object detects RC Scripts.
Relationship explorer

All related ATT&CK context

detects · Technique T1037.004: RC Scripts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
370cd3fd13015056...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 370cd3fd1301…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0237
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use