Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of Launch Agent and Launch Daemon but is currently still used.
Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1037.004 | Rc.common |
| CA-7 | Continuous Monitoring | Protects | T1037.004 | Rc.common |
| CM-2 | Baseline Configuration | Protects | T1037.004 | Rc.common |
| CM-6 | Configuration Settings | Protects | T1037.004 | Rc.common |
| SI-3 | Malicious Code Protection | Protects | T1037.004 | Rc.common |
| SI-4 | System Monitoring | Protects | T1037.004 | Rc.common |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1037.004 | Rc.common |