This note documents detection patterns related to Startup Script Abuse on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
/etc/rc.local | New command entry | Boot-time persistence | Critical | Classic startup persistence artifact. |
/etc/init.d/ | New script | Legacy init persistence | Critical | Still relevant on many systems. |
/etc/profile | Shell-wide startup command | User session persistence | Critical | Executes for interactive shells. |
/etc/bash.bashrc | Global shell startup modification | Session-triggered persistence | Critical | Common stealth location. |
~/.bashrc | User shell startup command | Per-user persistence | Critical | Often tied to compromised account. |
~/.profile | User login startup | Per-user login persistence | Critical | Triggered on login. |
~/.bash_profile | Login shell persistence | Per-user persistence | Critical | Often overlooked. |
| Startup script | curl, wget | Remote payload retrieval | Critical | Strong malicious automation signal. |
| Startup script | bash, sh, python | Script execution | Critical | Common payload trigger. |
| Startup script | /tmp, /dev/shm | Temp payload execution | Critical | High-confidence malicious path. |
| Shell history | edit startup files | Interactive persistence insertion | Critical | Strong operator evidence. |
auditd | write to startup files | Process attribution | Critical | Best attribution if enabled. |
| File timestamps | recent startup file modification | Timeline anchor | Critical | Correlates with intrusion window. |
journalctl | boot execution evidence | Startup execution confirmation | High | Useful after reboot events. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Startup file modified after SSH foothold | Stabilization after access | Critical | Common attacker progression. |
| Hidden command appended at file end | Minimal stealth insertion | Critical | Frequently missed in long profiles. |
| Startup file calls external script | Secondary payload | Critical | Often hidden elsewhere. |
| Root startup file modified | Privileged persistence | Critical | High severity. |
| User shell starts outbound connection | Callback on login | Critical | Strong malicious signal. |
| Profile references deleted path | Cleanup after insertion | High | Incomplete cleanup clue. |
| Startup plus cron/service persistence | Redundant persistence | Critical | Strong operator discipline. |
| Startup under dormant account | Silent persistence | Critical | Often unnoticed. |
| Startup file ownership anomaly | Unexpected owner | High | Reveals attacker mistake. |
| Minimal file change but strong behavior shift | Small persistence line inserted | High | Requires diff-style inspection. |
Common Tools
| Tool | Usage |
|---|---|
echo >> ~/.bashrc | Append persistence quickly. |
sed -i | Silent inline modification. |
nano, vim, vi | Interactive startup file editing. |
| Direct file overwrite | Replace startup logic fully. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| System startup | /etc/rc.local | Critical | Boot persistence. |
| Legacy init scripts | /etc/init.d/ | Critical | Older service persistence path. |
| Global shell profile | /etc/profile | Critical | Global login persistence. |
| Global bash config | /etc/bash.bashrc | Critical | Interactive shell persistence. |
| User bashrc | ~/.bashrc | Critical | Per-user shell persistence. |
| User profile | ~/.profile | Critical | Login-trigger persistence. |
| User bash profile | ~/.bash_profile | Critical | Login shell persistence. |
| Shell history | .bash_history, .zsh_history | Critical | Edit commands. |
| Audit logs | /var/log/audit/audit.log | Critical | File write attribution. |
| Journald | journalctl | High | Execution after boot/login. |
MITRE ATT&CK References
- T1037 Boot or Logon Initialization Scripts
- T1037.004 RC Scripts
- T1059 Command and Scripting Interpreter
Decision Tree
-
Are startup files modified?
- Enumerate system and user startup files.
-
Which account or context triggers persistence?
- System boot, root shell, user login.
-
What executes?
- Inspect command, path, interpreter.
-
Has startup already triggered?
- Correlate boot/login times.
-
Is payload present?
- Inspect referenced files.
-
Pivot
- Startup file → payload path.
- Payload → timestamps and hashes.
- User → login timeline.
-
Confirm persistence
- Unknown startup command + suspicious path + intrusion timing = malicious persistence.
Example Detection Templates
Grep
grep -R "curl\|wget\|bash\|python\|/tmp\|/dev/shm" /etc/rc.local /etc/profile /etc/bash.bashrc /etc/init.d /home/*/.bashrc /home/*/.profile /home/*/.bash_profile /root/.bashrc /root/.profile 2>/dev/null
grep -R "rc.local\|bashrc\|profile" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "echo .*bashrc\|echo .*profile" /home /root 2>/dev/null
Journalctl
journalctl | grep -E "rc.local|profile|bashrc"
File Inspection
find /etc/rc.local /etc/profile /etc/bash.bashrc /etc/init.d /home -name ".bashrc" -o -name ".profile" -o -name ".bash_profile" 2>/dev/null -printf '%TY-%Tm-%Td %TT %p\n' | sort
stat /etc/rc.local
Sigma
title: Linux Startup Script Abuse
id: linux-startup-script-abuse
status: experimental
description: Detects suspicious modifications to startup scripts and shell initialization files
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'rc.local'
- '.bashrc'
- '.profile'
- 'curl'
- 'wget'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate profile customization
level: high
tags:
- attack.persistence
- attack.t1037
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| File baseline | Inventory startup files | Critical | Unknown additions should stand out. |
| File monitoring | Watch startup paths | Critical | Strong invariant detection. |
| Least privilege | Restrict startup file modification | High | Reduces persistence insertion. |
| Auditd | Monitor writes to startup files | High | Strong attribution. |
| Temp execution control | Prevent startup execution from temp paths | Critical | Stops common abuse. |
| Login review | Inspect user startup changes regularly | High | Important for per-user stealth persistence. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any suspicious startup lines? | grep startup files | Immediate persistence check. |
| Which file changed recently? | inspect timestamps | Timeline anchor. |
| Does startup call temp file? | inspect paths | High-confidence suspicion. |
| Has payload executed? | correlate login/boot logs | Runtime proof. |
| Is payload still present? | inspect referenced path | Payload analysis. |
| Was startup modified post-login? | correlate timestamps | Intrusion chain. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
curl | Remote retrieval. |
wget | Remote retrieval. |
bash | Shell execution. |
python | Interpreter execution. |
/tmp | Temp payload path. |
/dev/shm | Stealth path. |
@reboot | Sometimes chained with cron logic. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
.bashrc calls temp shell | Strong user persistence signal. |
/etc/profile modified | Global persistence high severity. |
rc.local starts hidden script | Boot persistence likely malicious. |
| Startup plus cron/service | Redundant persistence. |
| Startup file references deleted payload | Cleanup after insertion likely. |
| Minimal one-line append | Easy to miss without full file review. |