Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | execution of systemctl with subcommands start, stop, enable, disable |
| File Modification (DC0061) | auditd:SYSCALL | open/write of .service unit files |
| Process Creation (DC0032) | auditd:EXECVE | systemctl spawning managed processes |
| Service Creation (DC0060) | auditd:CONFIG_CHANGE | creation or modification of systemd services |
| Field | Description |
|---|---|
| MonitoredPaths | Paths to monitor for service unit files, typically /etc/systemd/system and /usr/lib/systemd/system. Adversaries may use uncommon locations such as /tmp. |
| SuspiciousSubcommands | Focus on systemctl subcommands start, enable, or daemon-reload when used outside expected change windows. |
| CorrelationWindow | Time window to correlate service file modification with subsequent systemctl execution. |