RC Scripts

Information

• Name: RC Scripts

• ID: T1037.004

• Tactics: TA0003, TA0004

• Technique: T1037

Introduction

RC Scripts (T1037.004) is a sub-technique within the MITRE ATT&CK framework under the Persistence tactic, specifically categorized under Boot or Logon Autostart Execution (T1037). Attackers leverage RC scripts, typically found in Unix-like operating systems, to maintain persistence by automatically executing commands or scripts upon system startup or reboot. RC scripts are traditionally used for initializing system services and configurations, making them attractive targets for adversaries seeking stealthy and persistent access.

Deep Dive Into Technique

RC scripts are shell scripts located in directories such as /etc/rc.d/, /etc/init.d/, or /etc/rcX.d/ (where X represents runlevel numbers). These scripts execute automatically during the boot-up process or when changing runlevels, making them ideal for persistent malicious code execution.

Technical details include:

• Script Location and Structure:

  • Common directories:

    • /etc/init.d/

    • /etc/rc.d/

    • /etc/rcX.d/ (runlevel-specific directories such as rc0.d, rc1.d, rc2.d, rc3.d, rc4.d, rc5.d, rc6.d)

  • Naming conventions typically include a prefix indicating startup order, e.g., S20scriptname (start) or K20scriptname (kill).

  • Scripts generally follow standard shell scripting syntax and include execution permissions.

• Persistence Mechanism:

  • Attackers insert malicious code or scripts into existing legitimate RC scripts or create new scripts altogether.

  • Scripts execute automatically upon reboot or runlevel changes, ensuring persistence across system restarts.

  • Malicious scripts often contain commands to:

    • Open reverse shells or backdoors.

    • Execute remote payload retrieval and execution.

    • Modify system configurations for further exploitation.

• Privilege Requirements:

  • Typically requires root or administrative privileges to modify or create scripts in protected directories.

  • Attackers usually escalate privileges first to place malicious scripts in system directories.

• Common Commands and Techniques:

  • Bash or sh scripting commands to execute payloads.

  • Use of wget or curl to retrieve additional payloads from remote servers.

  • Execution of binaries or scripts hidden in less conspicuous locations on the filesystem.

  • Obfuscation techniques to evade detection by security tools.

When this Technique is Usually Used

Attackers typically use RC Scripts for persistence after initial compromise and privilege escalation. Common scenarios include:

• Post-Exploitation Persistence:

  • After successful initial access and privilege escalation, attackers deploy RC scripts to maintain long-term access.

  • Commonly used following exploitation of vulnerabilities, phishing attacks, or credential compromise.

• Advanced Persistent Threat (APT) Campaigns:

  • APT actors frequently leverage RC scripts to maintain low-profile, persistent footholds in targeted environments.

  • Suitable for long-term espionage campaigns requiring stealthy and reliable persistence mechanisms.

• Malware Deployment and Backdoor Installation:

  • Attackers embedding malware or backdoors into RC scripts to ensure automatic execution upon system reboot.

  • Commonly used in ransomware, cryptomining, or botnet operations.

• System Reboots or Scheduled Maintenance:

  • Attackers exploit scheduled system reboots or maintenance windows to activate malicious scripts.

  • Ideal for environments with frequent reboots or scheduled downtime, as malicious scripts blend into legitimate startup activities.

How this Technique is Usually Detected

Detection of malicious RC scripts involves multiple methods, including:

• File Integrity Monitoring (FIM):

  • Monitoring changes to critical directories:

    • /etc/init.d/

    • /etc/rc.d/

    • /etc/rcX.d/

  • Detecting unauthorized script additions, modifications, or deletions.

• Audit Logging and Monitoring:

  • Leveraging auditd rules to log changes to RC script directories.

  • Monitoring for suspicious file creation, modification, or permission changes.

• Behavioral Analysis:

  • Analyzing system behavior at boot time for unusual processes, network connections, or resource usage.

  • Utilizing tools such as ps, netstat, lsof, or top to identify anomalous processes initiated at startup.

• Endpoint Detection and Response (EDR) Tools:

  • Automated detection of suspicious file creation and execution patterns.

  • Alerting on suspicious processes spawned from RC scripts.

• Indicators of Compromise (IoCs):

  • Unrecognized or newly created scripts in RC directories.

  • Suspicious script names or unusual execution permissions.

  • Known malicious domains or IP addresses accessed at boot.

  • Unusual cron jobs or scheduled tasks pointing to RC scripts.

Why it is Important to Detect This Technique

Timely detection of malicious RC scripts is critical due to several potential impacts:

• Persistent Access and Long-Term Compromise:

  • Attackers maintain persistent footholds, enabling prolonged espionage, data exfiltration, or lateral movement.

• System Stability and Integrity Risks:

  • Malicious scripts may cause system instability, crashes, or performance degradation.

  • Unauthorized modifications can lead to unpredictable behavior during critical system operations.

• Data Exfiltration and Intellectual Property Theft:

  • Persistent access facilitates continuous data theft, potentially leading to severe financial and reputational damages.

• Deployment of Additional Malware:

  • RC scripts can be leveraged to deploy ransomware, cryptominers, or other payloads, exacerbating the damage and recovery costs.

• Stealth and Evasion of Security Controls:

  • Attackers often leverage RC scripts to evade traditional security measures, highlighting the importance of proactive detection and monitoring.

Early detection allows organizations to quickly mitigate threats, reduce damage, and minimize recovery and remediation costs.

Examples

Real-world examples demonstrating the use of RC scripts for persistence:

• Operation Windigo (Ebury SSH Rootkit):

  • Attackers installed RC scripts containing commands to launch Ebury SSH backdoor upon reboot.

  • Impact:

    • Persistent remote access to compromised servers.

    • Theft of SSH credentials and further lateral movement.

• Linux/Mumblehard Malware Campaign:

  • Malware installed RC startup scripts to launch spam bots and proxy servers automatically.

  • Impact:

    • Persistent spam campaign infrastructure.

    • Compromised servers used to send unsolicited emails and facilitate further infections.

• Skidmap Linux Malware:

  • Cryptomining malware leveraging RC scripts to persistently mine cryptocurrency.

  • Impact:

    • Excessive resource consumption leading to degraded system performance.

    • Financial losses due to unauthorized resource use.

• HiddenWasp Linux Malware:

  • Malware inserting malicious RC scripts to execute payloads at system startup.

  • Impact:

    • Persistent remote access and lateral movement capabilities.

    • Difficult to detect due to stealthy behavior and obfuscation methods.

These examples highlight the diverse usage of RC scripts by attackers, emphasizing the importance of robust detection and monitoring strategies to mitigate risks effectively.