System Services: Systemctl

Other sub-techniques of System Services (3)

ID	Name
T1569.001	Launchctl
T1569.002	Service Execution
T1569.003	Systemctl

Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.

Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.^[1]

ID: T1569.003

Sub-technique of: T1569

ⓘ

Tactic: Execution

ⓘ

Platforms: Linux

Version: 1.0

Created: 18 March 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G0139	TeamTNT	TeamTNT has created system services to execute cryptocurrency mining software.^[2]

Mitigations

ID	Mitigation	Description
M1018	User Account Management	Limit user access to `systemctl` to only users who have a legitimate need.

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor the execution of the `systemctl` command, focusing on subcommands such as `start` and `enable`, that may be used by adversaries to load system services. Analytic 1 - Suspicious command execution of systemctl `sourcetype=auditd OR sourcetype=sysmon_linux(command="systemctl" AND (command="start" OR command="enable"))\| stats count by host, user, command, parent_process, _time\| where user!="root" AND NOT match(command, "expected_service")\| sort -_time`
DS0022	File	File Modification	Every systemd service must have a corresponding unit file on disk which can be monitored. Unit files are located in the `/etc/systemd/system`, `/usr/lib/systemd/system/`, and `/home/$username/.config/systemd/user/` directories. Analytic 1 - suspicious modification of service unit files `sourcetype=auditd(path IN ("/etc/systemd/system/", "/usr/lib/systemd/system/", "/home//.config/systemd/user/") AND (syscall="open" OR syscall="write"))\| stats count by file_path, user, process_name, _time\| where NOT match(file_path, "expected_admin_changes")\| sort -_time`
DS0009	Process	Process Creation	Monitor for newly executed daemons that may abuse systemctl to execute commands or programs. Analytic 1 - suspicious process execution of systemctl `sourcetype=sysmon_linux OR sourcetype=auditd(parent_process="systemd" OR process_name="daemon")\| stats count by process_name, parent_process, user, cmdline, _time\| where user!="root" AND NOT match(cmdline, "known_daemon_pattern")\| sort -_time`
DS0019	Service	Service Creation	Monitor the creation or modification of system services via the `systemctl` command. Analytic 1 - suspicious systemctl service creation `sourcetype=auditd(command="systemctl" AND command="enable" OR command="create")\| stats count by user, command, process_name, _time\| where NOT match(command, "whitelisted_services")\| sort -_time`

References

Damon Garn. (2022, May 17). How to use systemctl to manage Linux services. Retrieved March 18, 2025.

Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.