Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Kubernetes - AGENT, Containers |
ATT&CK Tactic |
|
ATT&CK Technique |
Boot or Logon Initialization Scripts: RC Scripts (T1037.004) |
Severity |
Low |
Description
A suspicious process modified an RC script file.
These files allow system administrators to map and start custom services at startup for different run levels.
This may be done to establish persistence.
Attacker's Goals
Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system's startup.
Investigative actions
Check the modified RC script file and try to understand the impact of the file modification.