T1543.002 Systemd Service
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.3 Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the .service
file extension to encode information about a service’s process. By default, system level unit files are stored in the /systemd/system
directory of the root owned directories (/
). User level unit files are stored in the /systemd/user
directories of the user owned directories ($HOME
). 6
Service unit files use the following directives to execute system commands:2
ExecStart
,ExecStartPre
, andExecStartPost
directives cover execution of commands when a service is started manually bysystemctl
, or on system start if the service is set to automatically start.ExecReload
directive covers when a service restarts.ExecStop
,ExecStopPre
, andExecStopPost
directives cover when a service is stopped.
Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.1 Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.
The .service
file’s User
directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.5
Item | Value |
---|---|
ID | T1543.002 |
Sub-techniques | T1543.001, T1543.002, T1543.003, T1543.004 |
Tactics | TA0003, TA0004 |
Platforms | Linux |
Permissions required | User, root |
Version | 1.3 |
Created | 17 January 2020 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0401 | Exaramel for Linux | Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.910 |
S0410 | Fysbis | Fysbis has established persistence using a systemd service.11 |
S0601 | Hildegard | Hildegard has started a monero service.8 |
S0192 | Pupy | Pupy can be used to establish persistence using a systemd service.7 |
G0106 | Rocke | Rocke has installed a systemd service script to maintain persistence.1 |
S0663 | SysUpdate | SysUpdate can copy a script to the user owned /usr/lib/systemd/system/ directory with a symlink mapped to a root owned directory, /etc/ystem/system , in the unit configuration file’s ExecStart directive to establish persistence and elevate privileges.12 |
G0139 | TeamTNT | TeamTNT has established persistence through the creation of a cryptocurrency mining system service using systemctl .1413 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1033 | Limit Software Installation | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
M1026 | Privileged Account Management | The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. |
M1022 | Restrict File and Directory Permissions | Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
M1018 | User Account Management | Limit user access to system utilities such as systemctl to only users who have a legitimate need. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
DS0019 | Service | Service Creation |
References
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩↩
-
Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023. ↩
-
Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019. ↩
-
Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023. ↩
-
Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019. ↩
-
Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023. ↩
-
Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. ↩
-
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. ↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩
-
Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. ↩
-
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. ↩
-
Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. ↩
-
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. ↩