Modification of rc.common Script¶
During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. Adversaries can use the rc.common file as a way to hide code for persistence.
| id: | 11db63f4-15eb-47f7-8e69-e4879bace2b0 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | macos |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1163 Rc.common |
Query¶
file where file_name == "rc.common"