Suspicious rc.local Error Message

Last updated 7 months ago on 2025-01-15

Created a year ago on 2024-06-21

About

This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," "No such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file has been tampered with.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Boot or Logon Initialization Scripts (T1037)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-system.syslog-*
Related Integrations: system(opens in a new tab or window)
Query

host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and
message:("Connection refused" or "No such file or directory" or "command not found")

Install detection rules in Elastic Security

Detect Suspicious rc.local Error Message in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).