RC scripts modified

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1037-boot-or-logon-initialization-scripts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect modifications to RC script files (rc.local and rc.common).

Strategy

RC scripts allow system administrators to map and start custom services at startup for different run levels. Attackers can establish persistence by adding a malicious binary path or shell commands to rc.local or rc.common. Upon reboot, the system executes the file contents as root.

Triage and response

  1. Review and confirm the changes made to {{@file.path}} are a part of normal system administration.
  2. If these changes are unauthorized, roll back the host in question to a known good {{@file.path}}, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater.

PREVIEWING: drodriguezhdez/add_public_docs_log_summarization