T1543.002 Systemd Service Mappings

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands:

  • ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
  • ExecReload directive covers when a service restarts.
  • ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)

While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1543.002 Systemd Service
AC-3 Access Enforcement Protects T1543.002 Systemd Service
AC-5 Separation of Duties Protects T1543.002 Systemd Service
AC-6 Least Privilege Protects T1543.002 Systemd Service
CA-7 Continuous Monitoring Protects T1543.002 Systemd Service
CM-11 User-installed Software Protects T1543.002 Systemd Service
CM-2 Baseline Configuration Protects T1543.002 Systemd Service
CM-3 Configuration Change Control Protects T1543.002 Systemd Service
CM-5 Access Restrictions for Change Protects T1543.002 Systemd Service
CM-6 Configuration Settings Protects T1543.002 Systemd Service
IA-2 Identification and Authentication (organizational Users) Protects T1543.002 Systemd Service
SA-22 Unsupported System Components Protects T1543.002 Systemd Service
SI-16 Memory Protection Protects T1543.002 Systemd Service
SI-3 Malicious Code Protection Protects T1543.002 Systemd Service
SI-4 System Monitoring Protects T1543.002 Systemd Service
SI-7 Software, Firmware, and Information Integrity Protects T1543.002 Systemd Service
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1543.002 Create or Modify System Process: Systemd Service
amazon_inspector Amazon Inspector technique_scores T1543.002 Systemd Service