Description
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.(Citation: Red Hat Systemctl 2022)
Platforms
Mitigations (1)
User Account ManagementM1018
Limit user access to systemctl to only users who have a legitimate need.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intellig... |
References
- Damon Garn. (2022, May 17). How to use systemctl to manage Linux services. Retrieved March 18, 2025.
Frequently Asked Questions
What is T1569.003 (Systemctl)?
T1569.003 is a MITRE ATT&CK technique named 'Systemctl'. It belongs to the Execution tactic(s). Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl ca...
How can T1569.003 be detected?
Detection of T1569.003 (Systemctl) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1569.003?
There are 1 documented mitigations for T1569.003. Key mitigations include: User Account Management.
Which threat groups use T1569.003?
Known threat groups using T1569.003 include: TeamTNT.