The /etc/rc.local script is a legacy initialization script that is executed at the end of the boot process. The /etc/rc.local script is not enabled by default on most Linux distributions. The /etc/rc.local script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested.
Because of that reason, this PR proposes two new rules that are capable of detecting execution of the rc.local script, through:
already_running event action
syslog
Potential Execution of rc.local Script
0 hits in telemetry last year, 18 hits across different systems in my testing stack last 90d. Related to testing & rootkit testing.
process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and
process.parent.args == "/etc/rc.local" and process.parent.args == "start"
Suspicious rc.local Error Message
0 hits in telemetry last year, 74 hits in my stack last year (all related to testing of rc.local and rootkit testing).
host.os.type:linux and event.dataset:"system.syslog" and process.name:rc.local and
message:("Connection refused" or "No such file or directory" or "command not found")
These are additional layers of defense to this persistence technique, and are meant to be used in conjunction with the other rules related to RC script persistence.
Summary
The
/etc/rc.localscript is a legacy initialization script that is executed at the end of the boot process. The/etc/rc.localscript is not enabled by default on most Linux distributions. The/etc/rc.localscript can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested.Because of that reason, this PR proposes two new rules that are capable of detecting execution of the rc.local script, through:
Potential Execution of rc.local Script
0 hits in telemetry last year, 18 hits across different systems in my testing stack last 90d. Related to testing & rootkit testing.
Suspicious rc.local Error Message
0 hits in telemetry last year, 74 hits in my stack last year (all related to testing of rc.local and rootkit testing).
These are additional layers of defense to this persistence technique, and are meant to be used in conjunction with the other rules related to RC script persistence.