Skip to content

Latest commit

 

History

History
33 lines (16 loc) · 1.19 KB

T1163.md

File metadata and controls

33 lines (16 loc) · 1.19 KB

T1163 - Rc.common

During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).

Atomic Tests


Atomic Test #1 - rc.common

Modify rc.common

Reference

Supported Platforms: macOS

Attack Commands: Run with sh!

echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common