T1037 Boot or Logon Initialization Scripts — Linux Init Script Modification

production-ready status: experimental level: medium

Creation or modification of legacy init-system entry points (/etc/rc.local, /etc/init.d/, /etc/rc*.d/). Adversaries plant scripts there for root-context execution at boot — old-school, still routinely effective on servers and appliances that keep sysvinit compatibility. (Systemd-unit persistence is T1543.002 — separate rule.) Authored from the thrunt.me detection-gap queue (corpus signal with zero SigmaHQ/thrunt tag coverage for T1037 at authoring time); analyst-reviewed 2026-06-11.

Rule ID

af60fbd6-51c7-5814-b803-bdb24f984d9c

Status

experimental

Level

medium

Log source

category: file_event · product: linux

Date

2026-06-11

Modified

2026-06-11

ATT&CK

T1037 (signal rollup)

Canonical YAML

t1037-linux-init-script-modification.yml

References

• https://thrunt.me/sigma/t1037-linux-init-script-modification.yml
• https://thrunt.me/corpus/attck/T1037/
• https://attack.mitre.org/techniques/T1037/

False positives

• Package installation and upgrades writing init scripts (dpkg, rpm, yum/dnf transactions).
• Configuration management deploying service wrappers.
• Administrators installing third-party services that still ship sysvinit scripts.

Rule YAML

title: 'T1037 Boot or Logon Initialization Scripts — Linux Init Script Modification'
id: 'af60fbd6-51c7-5814-b803-bdb24f984d9c'
status: 'experimental'
description: 'Creation or modification of legacy init-system entry points (/etc/rc.local, /etc/init.d/, /etc/rc*.d/). Adversaries plant scripts there for root-context execution at boot — old-school, still routinely effective on servers and appliances that keep sysvinit compatibility. (Systemd-unit persistence is T1543.002 — separate rule.) Authored from the thrunt.me detection-gap queue (corpus signal with zero SigmaHQ/thrunt tag coverage for T1037 at authoring time); analyst-reviewed 2026-06-11.'
references:
    - 'https://thrunt.me/sigma/t1037-linux-init-script-modification.yml'
    - 'https://thrunt.me/corpus/attck/T1037/'
    - 'https://attack.mitre.org/techniques/T1037/'
author: 'Applied Cybernetics Group (via thrunt.me)'
date: '2026-06-11'
modified: '2026-06-11'
tags:
    - 'attack.persistence'
    - 'attack.t1037'
    - 'tlp.clear'
logsource:
    category: 'file_event'
    product: 'linux'
# NOTE: Package managers (dpkg/rpm scriptlets) legitimately write /etc/init.d/ on install — baseline, then add a filter_* selection on the package-manager Image paths rather than narrowing the watch.
# NOTE: Appliance/embedded estates may symlink rc.local; consider adding /etc/rc.common for OpenWrt-class targets if in scope.
detection:
    selection_dirs:
        TargetFilename|startswith:
            - '/etc/init.d/'
            - '/etc/rc.d/'
    selection_rclocal:
        TargetFilename:
            - '/etc/rc.local'
    condition: '1 of selection_*'
falsepositives:
    - 'Package installation and upgrades writing init scripts (dpkg, rpm, yum/dnf transactions).'
    - 'Configuration management deploying service wrappers.'
    - 'Administrators installing third-party services that still ship sysvinit scripts.'
level: 'medium'

The YAML file above is the canonical artifact — machine consumers should subscribe via /sigma/manifest.json and fetch t1037-linux-init-script-modification.yml directly. This page is a rendered view, regenerated daily.