heroui logo

Potential Execution of rc.local Script

Elastic Detection Rules

View Source
Summary
This detection rule targets potential execution of the `/etc/rc.local` script via the `already_running` event created by the `rc-local.service` in systemd, which runs on Linux systems. The `/etc/rc.local` script, although not enabled by default in many Linux distributions, serves as a legacy initialization script executed at boot time. Attackers may exploit this script to achieve persistent execution of malicious commands on compromised systems. Since the execution event does not get ingested before Elastic Defend initializes, the rule monitors for the `already_running` event, indicating the potential misuse of `rc.local` and alerting security teams to possible persistence tactics. Investigative steps include reviewing logs for changes to `rc.local`, checking for unauthorized commands, inspecting process trees for unusual activity, and analyzing correlation with other security alerts. The rule also provides a response guide emphasizing isolation, scanning, and policy updates to reduce the risk of similar attacks in the future.
Categories
  • Linux
  • Endpoint
  • Infrastructure
Data Sources
  • Process
  • Logon Session
  • Application Log
ATT&CK Techniques
  • T1037
  • T1037.004
Created: 2024-06-21