DET0073 Detection Strategy for System Services: Systemctl

Item	Value
ID	DET0073
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1569.003 (Systemctl)

Analytics

Linux

AN0200

Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	auditd:EXECVE	execution of systemctl with subcommands start, stop, enable, disable
File Modification (DC0061)	auditd:SYSCALL	open/write of .service unit files
Process Creation (DC0032)	auditd:EXECVE	systemctl spawning managed processes
Service Creation (DC0060)	auditd:CONFIG_CHANGE	creation or modification of systemd services

Mutable Elements

Field	Description
MonitoredPaths	Paths to monitor for service unit files, typically /etc/systemd/system and /usr/lib/systemd/system. Adversaries may use uncommon locations such as /tmp.
SuspiciousSubcommands	Focus on systemctl subcommands start, enable, or daemon-reload when used outside expected change windows.
CorrelationWindow	Time window to correlate service file modification with subsequent systemctl execution.