diff --git a/Mac/Persistence/Rc.common.md b/Mac/Persistence/Rc.common.md new file mode 100644 index 00000000..4109295e --- /dev/null +++ b/Mac/Persistence/Rc.common.md @@ -0,0 +1,15 @@ +# rc.common + +MITRE ATT&CK Technique: [T1163](https://attack.mitre.org/wiki/Technique/T1163) + +Input: + + echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common + +Modify: + + /etc/rc.common + + + +[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) diff --git a/Mac/README.md b/Mac/README.md index 59be71ad..57696494 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -15,7 +15,7 @@ | Login Item | | Hidden Window | Two-Factor Authentication Interception | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | | | Multi-hop Proxy | | [Logon Scripts](Persistence/Logon_Scripts.md) | | Indicator Removal from Tools | | System Network Connections Discovery | | | | | Multiband Communication | | [Plist Modification](Persistence/Plist_Modification.md) | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | | [System Owner/User Discovery](Discovery/System_Owner_User_Discovery.md) | | | | | Multilayer Encryption | -| Rc.common | | LC_MAIN Hijacking | | | | | | | Remote File Copy | +| [Rc.common](Persistence/Rc.common.md) | | LC_MAIN Hijacking | | | | | | | Remote File Copy | | [Re-opened Applications](Persistence/Re-opened_Applications.md) | | [Launchctl](Defense_Evasion/Launchctl.md) | | | | | | | Standard Application Layer Protocol | | Redundant Access | | Masquerading | | | | | | | Standard Cryptographic Protocol | | [Startup Items](Persistence/Startup_Items.md) | | Obfuscated Files or Information | | | | | | | Standard Non-Application Layer Protocol |