During the boot process, macOS executessource /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).
Detection: The
/etc/rc.commonfile can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.Platforms: macOS
Data Sources: File monitoring, Process Monitoring
Permissions Required: root
Modify rc.common
Supported Platforms: macOS
echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common