Technique on mitre.org

T1543.002: Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).

Inside the .service unit files, the following directives are used to execute commands:

ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.
ExecReload directive executes when a service restarts.
ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.

Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.

The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_persistence: PT-CR-1671: Unix_Systemd_Service_Modify: Possible persistence on a host gained by modifying a system service file. Attackers can create or modify systemd services to repeatedly execute malicious payloads.

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Systemd service unit files may be detected by auditing file creation and modification events within the `/etc/systemd/system`, `/usr/lib/systemd/system/`, and `/home//.config/systemd/user/` directories, as well as associated symbolic links

ID	DS0022	Data source and component	File: File Modification	Description	Systemd service unit files may be detected by auditing file creation and modification events within the `/etc/systemd/system`, `/usr/lib/systemd/system/`, and `/home//.config/systemd/user/` directories, as well as associated symbolic links

ID	DS0019	Data source and component	Service: Service Creation	Description	Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence.

ID	DS0019	Data source and component	Service: Service Modification	Description	Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables.

ID	DS0009	Data source and component	Process: Process Creation	Description	Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

ID	DS0017	Data source and component	Command: Command Execution	Description	Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -–type=service –all`. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.

ID	Data source and component	Description
DS0022	File: File Creation	Systemd service unit files may be detected by auditing file creation and modification events within the `/etc/systemd/system`, `/usr/lib/systemd/system/`, and `/home//.config/systemd/user/` directories, as well as associated symbolic links
DS0022	File: File Modification	Systemd service unit files may be detected by auditing file creation and modification events within the `/etc/systemd/system`, `/usr/lib/systemd/system/`, and `/home//.config/systemd/user/` directories, as well as associated symbolic links
DS0019	Service: Service Creation	Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence.
DS0019	Service: Service Modification	Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables.
DS0009	Process: Process Creation	Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
DS0017	Command: Command Execution	Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -–type=service –all`. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit user access to system utilities such as `systemctl` to only users who have a legitimate need.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.

ID	M1026	Name	Privileged Account Management	Description	The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.

ID	M1033	Name	Limit Software Installation	Description	Restrict software installation to trusted repositories only and be cautious of orphaned software packages.

ID	Name	Description
M1018	User Account Management	Limit user access to system utilities such as `systemctl` to only users who have a legitimate need.
M1022	Restrict File and Directory Permissions	Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
M1026	Privileged Account Management	The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
M1033	Limit Software Installation	Restrict software installation to trusted repositories only and be cautious of orphaned software packages.