Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1037.004: RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.[3] As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.[4]

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.[5][6] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[7] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[8]

EnterpriseT1037.004Sub-techniqueObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

RC Scripts matter because they are startup files on Unix-like systems that can cause code to run automatically, often as root, after a reboot. For leaders, the risk is not just malware persistence on Linux or legacy macOS; ATT&CK also highlights ESXi, network devices, IoT, and embedded-style environments where startup mechanisms may be one of the few durable places an adversary can survive restarts.

Executive priority

Prioritize this where Linux servers, ESXi hypervisors, network devices, or older Unix-like/macOS systems support business-critical services. The key business question is whether the organization can prove that startup scripts are owned, permissioned, monitored, and baselined. This technique is relevant to resilience and incident decision-making because a reboot does not necessarily remove the threat if RC scripts or compatibility startup paths remain writable or unmonitored.

Technical view

Validate controls around RC startup paths such as rc.local, rc.common, distribution-specific RC scripts, and ESXi /etc/rc.local.d/local.sh where applicable. ATT&CK provides no official detection text for this object, but it does link a detection strategy, DET0237, for Boot or Logon Initialization Scripts: RC Scripts. SOC and IR teams should confirm whether they can detect unauthorized content changes, suspicious command additions, unexpected binary paths, and root-level persistence behavior across the listed platforms: macOS, Linux, Network Devices, and ESXi. Treat macOS coverage carefully because RC mechanisms are deprecated in favor of Launchd and mainly relevant to older compatibility scenarios.

Likely telemetry

  • File integrity monitoring or equivalent change records for RC script locations
  • File ownership and permission state for startup scripts and parent directories
  • Endpoint or server process execution telemetry showing commands launched during boot
  • Linux/macOS/ESXi system logs related to startup, boot, and service initialization
  • Administrative authentication and privilege-use logs tied to root-level file modification

Detection direction

  • Baseline expected RC script contents and alert on unauthorized additions of shell commands or binary paths.
  • Correlate RC script modification with privileged user activity because ATT&CK notes root privileges are required to modify these files.
  • Separate legitimate administrator maintenance from suspicious changes by using change tickets, maintenance windows, and known-good configuration baselines.
  • Do not assume systemd or Launchd migration eliminates exposure; ATT&CK notes some systems retain compatibility behavior when RC files exist with correct permissions.
  • For ESXi and appliance-like systems, validate persistence monitoring explicitly because normal endpoint tooling may not collect the needed file and boot telemetry.

Mitigation priorities

  • Apply M1022: restrict file and directory permissions on RC scripts and related startup directories.
  • Remove unnecessary write permissions and enforce least privilege for accounts and processes that can alter startup files.
  • Maintain known-good startup script baselines for Linux, ESXi, network devices, and legacy macOS systems where relevant.
  • Include RC script inspection in incident response containment and eradication checks before declaring a rebooted system clean.
  • For platforms where RC scripts are deprecated, prefer supported startup mechanisms and verify that compatibility RC paths are not unintentionally enabled.
Analyst notes and limits

Relationship context shows this sub-technique belongs to T1037 Boot or Logon Initialization Scripts and is associated in ATT&CK with persistence and privilege escalation. ATT&CK relationships also list use by APT29, Velvet Ant, UNC3886, and software including iKitten, HiddenWasp, Cyclops Blink, and Green Lambert; this should be used as threat-informed context, not as evidence of current activity in any environment.

The official ATT&CK detection field is not provided, so detection recommendations are derived from the technique description, platforms, tactics, mitigation relationship, and DET0237 relationship only. Local platform versions, startup compatibility behavior, logging depth, and administrative processes determine actual exposure and coverage.

Official MITRE ATT&CK definition

RC Scripts

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.[1][2] Upon reboot, the system executes the script's contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.[3] As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.[4]

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd.[5][6] This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.[7] To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.[8]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1037 Boot or Logon Initialization Scripts This object subtechnique of Boot or Logon Initialization Scripts.
Enterprise T1163 Rc.common Rc.common revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1047: Velvet Ant

Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]

Group Enterprise

G1048: UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Malware Enterprise

S0394: HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]

Linux
Malware Enterprise

S0690: Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

WindowsiOSmacOS
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0237: Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise subtechnique of · Technique T1037: Boot or Logon Initialization Scripts Enterprise uses · Group G1047: Velvet Ant Enterprise uses · Malware S0394: HiddenWasp Enterprise uses · Group G1048: UNC3886 Enterprise revoked by · Technique T1163: Rc.common Enterprise uses · Group G0016: APT29 Enterprise uses · Malware S0690: Green Lambert Enterprise uses · Malware S0687: Cyclops Blink Enterprise uses · Malware S0278: iKitten Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
d14ed29fc8127032...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle d14ed29fc812…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    IranThreats Kittens Dec 2017

    Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.

    Open source URL
  2. [2]
    Intezer HiddenWasp Map 2019

    Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

    Open source URL
  3. [3]
    intezer-kaiji-malware

    Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.

    Open source URL
  4. [4]
    Juniper Networks ESXi Backdoor 2022

    Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.

    Open source URL
  5. [5]
    Apple Developer Doco Archive Launchd

    Apple. (2016, September 13). Daemons and Services Programming Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021.

    Open source URL
  6. [6]
    Startup Items

    Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.

    Open source URL
  7. [7]
    Methods of Mac Malware Persistence

    Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.

    Open source URL
  8. [8]
    Ubuntu Manpage systemd rc

    Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown. Retrieved February 23, 2021.

    Open source URL
  9. [9]
    mitre-attack T1037.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use