| ID | Name |
|---|---|
| T1569.001 | Launchctl |
| T1569.002 | Service Execution |
| T1569.003 | Systemctl |
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.[1]
| ID | Name | Description |
|---|---|---|
| G0139 | TeamTNT |
TeamTNT has created system services to execute cryptocurrency mining software.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1018 | User Account Management |
Limit user access to |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0073 | Detection Strategy for System Services: Systemctl | AN0200 |
Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows. |