Description
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).(Citation: lambert systemd 2022)
Inside the .service unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)
ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.
ExecReload directive executes when a service restarts.
* ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.
Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
Systemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., Boot or Logon Initialization Scripts).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)
Platforms
Mitigations (4)
User Account ManagementM1018
Limit user access to system utilities such as systemctl to only users who have a legitimate need.
Restrict File and Directory PermissionsM1022
Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
Privileged Account ManagementM1026
The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
Limit Software InstallationM1033
Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has established persistence through the creation of a cryptocurrency mining system service using <cod... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has run `SYSTEMD_UNIT_PATH="/lib/systemd/ system/teleport.service` to establish persistence ... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019) |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has stopped `systemd-resolved` in order to manipulate DNS and firewalls.(Citation: Socket Shai-H... |
| S1198 | Gomir | Malware | [Gomir](https://attack.mitre.org/software/S1198) creates a systemd service named `syslogd` for persistence.(Citation: Symantec Troll Stealer 2024) |
| S1222 | RIFLESPINE | Malware | [RIFLESPINE](https://attack.mitre.org/software/S1222) can create a systemd service file for execution.(Citation: Google Cloud Mandiant UNC3886 2024) |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can be used to establish persistence using a systemd service.(Citation: GitHub Pupy) |
| S0410 | Fysbis | Malware | [Fysbis](https://attack.mitre.org/software/S0410) has established persistence using a systemd service.(Citation: Fysbis Dr Web Analysis) |
| S1078 | RotaJakiro | Malware | Depending on the Linux distribution and when executing with root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) may install persis... |
| S0663 | SysUpdate | Malware | [SysUpdate](https://attack.mitre.org/software/S0663) can copy a script to the user owned `/usr/lib/systemd/system/` directory with a symlink mapped to... |
| S0401 | Exaramel for Linux | Malware | [Exaramel for Linux](https://attack.mitre.org/software/S0401) has a hardcoded location under systemd that it uses to achieve persistence if it is runn... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has started a monero service.(Citation: Unit 42 Hildegard Malware) |
References
- airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.
- Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.
- Pepe Berba. (2022, February 7). Hunting for Persistence in Linux (Part 5): Systemd Generators. Retrieved April 8, 2025.
- Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.
- Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.
- Ruben Groenewoud. (2024, August 20). Linux Detection Engineering - A primer on persistence mechanisms. Retrieved March 18, 2025.
- Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.
Frequently Asked Questions
What is T1543.002 (Systemd Service)?
T1543.002 is a MITRE ATT&CK technique named 'Systemd Service'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon...
How can T1543.002 be detected?
Detection of T1543.002 (Systemd Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1543.002?
There are 4 documented mitigations for T1543.002. Key mitigations include: User Account Management, Restrict File and Directory Permissions, Privileged Account Management, Limit Software Installation.
Which threat groups use T1543.002?
Known threat groups using T1543.002 include: TeamTNT, Scattered Spider, Rocke.