T1543.002: Systemd Service
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the .service
file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system
directory of the root owned directories (/
). User level unit files are stored in the /systemd/user
directories of the user owned directories ($HOME
).
Inside the .service
unit files, the following directives are used to execute commands:
ExecStart
,ExecStartPre
, andExecStartPost
directives execute when a service is started manually bysystemctl
or on system start if the service is set to automatically start.ExecReload
directive executes when a service restarts.ExecStop
,ExecStopPre
, andExecStopPost
directives execute when a service is stopped.
Adversaries have created new service files, altered the commands a .service
file’s directive executes, and modified the user directive a .service
file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.
The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_persistence: PT-CR-1671: Unix_Systemd_Service_Modify: Persistence on a host was gained by changing a system service file. Attackers can create or modify systemd services to repeatedly execute malicious payloads.
Detection
ID | DS0022 | Data source and component | File: File Creation | Description | Systemd service unit files may be detected by auditing file creation and modification events within the |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Systemd service unit files may be detected by auditing file creation and modification events within the |
---|
ID | DS0019 | Data source and component | Service: Service Creation | Description | Monitor for new constructed systemd services to repeatedly execute malicious payloads as part of persistence. |
---|
ID | DS0019 | Data source and component | Service: Service Modification | Description | Analyze the contents of |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. |
---|
Mitigation
ID | M1033 | Name | Limit Software Installation | Description | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
---|
ID | M1018 | Name | User Account Management | Description | Limit user access to system utilities such as |
---|
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
---|
ID | M1026 | Name | Privileged Account Management | Description | The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. |
---|