Skip to content

T1569.003 Systemctl

Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.

Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.1

Item Value
ID T1569.003
Sub-techniques T1569.001, T1569.002, T1569.003
Tactics TA0002
Platforms Linux
Version 1.0
Created 18 March 2025
Last Modified 15 April 2025

Procedure Examples

ID Name Description
G0139 TeamTNT TeamTNT has created system services to execute cryptocurrency mining software.2

Mitigations

ID Mitigation Description
M1018 User Account Management Limit user access to systemctl to only users who have a legitimate need.

References

  1. Damon Garn. (2022, May 17). How to use systemctl to manage Linux services. Retrieved March 18, 2025. 

  2. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.