Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executessource /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated mechanism in favor of [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) but is currently still used.Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. (Citation: Methods of Mac Malware Persistence)
Modify rc.common
Supported Platforms: macOS
sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common