Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands:
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)
While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-2 | Account Management | Protects | T1543.002 | Systemd Service | |
AC-3 | Access Enforcement | Protects | T1543.002 | Systemd Service | |
AC-5 | Separation of Duties | Protects | T1543.002 | Systemd Service | |
AC-6 | Least Privilege | Protects | T1543.002 | Systemd Service | |
CA-7 | Continuous Monitoring | Protects | T1543.002 | Systemd Service | |
CM-11 | User-installed Software | Protects | T1543.002 | Systemd Service | |
CM-2 | Baseline Configuration | Protects | T1543.002 | Systemd Service | |
CM-3 | Configuration Change Control | Protects | T1543.002 | Systemd Service | |
CM-5 | Access Restrictions for Change | Protects | T1543.002 | Systemd Service | |
CM-6 | Configuration Settings | Protects | T1543.002 | Systemd Service | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1543.002 | Systemd Service | |
SA-22 | Unsupported System Components | Protects | T1543.002 | Systemd Service | |
SI-16 | Memory Protection | Protects | T1543.002 | Systemd Service | |
SI-3 | Malicious Code Protection | Protects | T1543.002 | Systemd Service | |
SI-4 | System Monitoring | Protects | T1543.002 | Systemd Service | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1543.002 | Systemd Service | |
azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1543.002 | Systemd Service |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1543.002 | Systemd Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|