Suspicious process modified RC script file

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

ATT&CK Technique

Boot or Logon Initialization Scripts: RC Scripts (T1037.004)

Severity

Low

Description

A suspicious process modified an RC script file.
These files allow system administrators to map and start custom services at startup for different run levels.
This may be done to establish persistence.

Attacker's Goals

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.

Investigative actions

Check the modified RC script file and try to understand the impact of the file modification.

Variations

Suspicious process modified RC script file in a Kubernetes pod

Synopsis

ATT&CK Tactic

ATT&CK Technique

Boot or Logon Initialization Scripts: RC Scripts (T1037.004)

Severity

Low

Description

A suspicious process modified an RC script file.
These files allow system administrators to map and start custom services at startup for different run levels.
This may be done to establish persistence.

Attacker's Goals

Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.

Investigative actions

Check the modified RC script file and try to understand the impact of the file modification.