Skip to content

Rcd Modification Detection


The RcdModification signature identifies changes or modifications to the rcd files and related commands. These files are crucial as they are scripts executed during boot and runlevel switches. By altering these scripts, adversaries can maintain persistence across system reboots.


The rcd (runlevel control directories) scripts are integral to the Linux system as they are responsible for service control during system bootup and when the system's runlevel changes. When these scripts or related directories are altered, it can imply a persistent malicious foothold within the system.

This signature, RcdModification, monitors the rcd files and directories for any modifications. By identifying unauthorized changes to these components, it aims to counteract threats that rely on altering system initialization scripts to ensure continuous malicious activity after system reboots.


The primary objective of this signature is to detect unauthorized changes or executions related to the rcd files, directories, and commands. By doing so, it aims to safeguard the system against threats that target bootup scripts for persistence.


  • ID: TRC-1026
  • Version: 1
  • Name: Rcd modification detected
  • EventName: rcd_modification
  • Description: The signature zeroes in on modifications to the rcd files. Since these files run during system bootup and runlevel switches, they are paramount for system initialization. Adversaries can modify or append to these files, ensuring their malicious code runs consistently even after reboots, thus achieving persistence.
  • Properties:
  • Severity: 2 (Moderate threat level)
  • Category: persistence
  • Technique: RC Scripts
  • Kubernetes_Technique: N/A
  • id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211
  • external_id: T1037.004


Upon detection of a potential threat, the signature reports back a Finding data structure, which encapsulates:

  • SigMetadata: Information about the potential threat based on the signature's criteria.
  • Event: The specifics of the event which caused the signature to trigger.
  • Data: Currently set to nil, indicating that no additional data is provided.

Events Used

This signature relies on several events:

  • security_file_open: This event activates when a file is accessed. The signature checks if the file is one of the rcd files and if it's being written to.
  • security_inode_rename: This event is triggered when an inode is renamed. The signature uses this event to discern if any rcd files or directories are being renamed.
  • sched_process_exec: This event fires up when a new process is initiated. The signature ensures if the update-rc.d command, which manages the rcd scripts, is executed.