Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the .service
file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system
directory of the root owned directories (/
). User level unit files are stored in the /systemd/user
directories of the user owned directories ($HOME
).(Citation: lambert systemd 2022)
Inside the .service
unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)
ExecStart
, ExecStartPre
, and ExecStartPost
directives execute when a service is started manually by systemctl
or on system start if the service is set to automatically start.ExecReload
directive executes when a service restarts. ExecStop
, ExecStopPre
, and ExecStopPost
directives execute when a service is stopped. Adversaries have created new service files, altered the commands a .service
file’s directive executes, and modified the user directive a .service
file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
amazon_inspector | Amazon Inspector | technique_scores | T1543.002 | Systemd Service |