Esc
RC Scripts - T1037.004
(ATT&CK® Technique)
Definition
Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1037004["RC Scripts"] --> |modifies| SystemInitScript["System Init Script"]; class T1037004 OffensiveTechniqueNode;
class SystemInitScript ArtifactNode; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript";
click T1037004 href "/offensive-technique/attack/T1037.004/"; click SystemInitScript href "/dao/artifact/d3f:SystemInitScript"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1037004["RC Scripts"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1037004["RC Scripts"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SystemInitScript["System Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1037004["RC Scripts"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | SystemInitScript["System Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1037004["RC Scripts"] ;
class DecoyFile DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | SystemInitScript["System Init Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1037004["RC Scripts"] ;
class FileEviction DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemInitScript["System Init Script"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1037004["RC Scripts"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | SystemInitScript["System Init Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1037004["RC Scripts"] ;
class RestoreFile DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | SystemInitScript["System Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1037004["RC Scripts"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | SystemInitScript["System Init Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1037004["RC Scripts"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
SystemInitConfigAnalysis["System Init Config Analysis"] -.->
| may-detect | T1037004["RC Scripts"] ;
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SystemInitScript["System Init Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1037004["RC Scripts"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
| encrypts | SystemInitScript["System Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1037004["RC Scripts"] ;
class FileEncryption DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] -->
| analyzes | SystemInitScript["System Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1037004["RC Scripts"] ;
class FileAnalysis DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SystemInitScript["System Init Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1037004["RC Scripts"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SystemInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";