T1543.002 Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).(Citation: lambert systemd 2022)

Inside the .service unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)

  • ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.
  • ExecReload directive executes when a service restarts.
  • ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.

Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)

The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1543.002 Systemd Service
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    DE.CM-03.03 Privileged account monitoring Mitigates T1543.002 Systemd Service
    Comments
    This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
    References
      PR.AA-05.02 Privileged system access Mitigates T1543.002 Systemd Service
      Comments
      This diagnostic statement protects against Systemd Service through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-09.01 Software and data integrity checking Mitigates T1543.002 Systemd Service
        Comments
        This diagnostic statement protects against Systemd Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
        References
          PR.AA-01.02 Physical and logical access Mitigates T1543.002 Systemd Service
          Comments
          This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
          References
            PR.IR-01.06 Production environment segregation Mitigates T1543.002 Systemd Service
            Comments
            This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
            References
              PR.AA-01.01 Identity and credential management Mitigates T1543.002 Systemd Service
              Comments
              This diagnostic statement protects against Systemd Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
              References

                NIST 800-53 Mappings

                VERIS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1543.002 Systemd Service
                attribute.integrity.variety.Software installation Software installation or code modification related-to T1543.002 Systemd Service

                Azure Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1543.002 Systemd Service
                Comments
                This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
                References
                ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1543.002 Systemd Service
                Comments
                This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
                References

                AWS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                amazon_inspector Amazon Inspector technique_scores T1543.002 Systemd Service
                Comments
                The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this, the score is capped at Partial.
                References