MITRE ATT&CK Technique
Persistence
T1163
Description
During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used. Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).
Supported Platforms
macOS
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'During the boot process, macOS executes <code>source '
'/etc/rc.common</code>, which is a shell script containing '
'various utility functions. This file also defines routines '
'for processing command-line arguments and for gathering '
'system settings, and is thus recommended to include in the '
'start of Startup Item Scripts (Citation: Startup Items). In '
'macOS and OS X, this is now a deprecated technique in favor '
'of launch agents and launch daemons, but is currently still '
'used.\n'
'\n'
'Adversaries can use the rc.common file as a way to hide code '
'for persistence that will execute on each reboot as the root '
'user (Citation: Methods of Mac Malware Persistence).',
'external_references': [{'external_id': 'T1163',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1163'},
{'description': 'Apple. (2016, September 13). Startup '
'Items. Retrieved July 11, 2017.',
'source_name': 'Startup Items',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
'id': 'attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:27.347Z',
'name': 'Rc.common',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}