RC Scripts

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.

Several Unix systems have moved to Systemd and deprecated the use of RC scripts.

Setting an RC script should be straight-forward , in the following example I am using a Bash script that runs in a loop if the connection is ever killed, I've encountered that a live connection when the OS is loading it will hang until the reverse shell has been killed, so it will sleep and run in a loop so that we can catch it when the user has completely logged in

The file needs to be placed in the /etc/init.d folder path from there will give it execution permissions suing the following command

chmod +x FILENAME

And finally we can continue with the update-rc.d this will install the script for it to execute once the user boots into the host

All we need now is to wait for the Host to reboot or power back on while waiting for a connection from our attacking machine

PreviousT1037: Boot or Logon Initialization Scripts NextT1197: BITS Jobs

Last updated 1 month ago