Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect modifications to RC script files (rc.local and rc.common).

Strategy

RC scripts allow system administrators to map and start custom services at startup for different run levels. Attackers can establish persistence by adding a malicious binary path or shell commands to rc.local or rc.common. Upon reboot, the system executes the file contents as root.

Triage and response

  1. Review and confirm the changes made to {{@file.path}} are a part of normal system administration.
  2. If these changes are unauthorized, roll back the host in question to a known good {{@file.path}}, or replace the system with a known-good system image.

Requires Agent version 7.27 or greater.

PREVIEWING: safchain/fix-custom-agent