1. Home
  2. Techniques
  3. Enterprise
  4. System Services
  5. Systemctl

System Services: Systemctl

ID Name
T1569.001 Launchctl
T1569.002 Service Execution
T1569.003 Systemctl

Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.

Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.[1]

ID: T1569.003
Sub-technique of:  T1569
Tactic: Execution
Platforms: Linux
Version: 1.0
Created: 18 March 2025
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0139 TeamTNT

TeamTNT has created system services to execute cryptocurrency mining software.[2]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit user access to systemctl to only users who have a legitimate need.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor the execution of the systemctl command, focusing on subcommands such as start and enable, that may be used by adversaries to load system services.

Analytic 1 - Suspicious command execution of systemctl

sourcetype=auditd OR sourcetype=sysmon_linux(command="systemctl" AND (command="start" OR command="enable"))| stats count by host, user, command, parent_process, _time| where user!="root" AND NOT match(command, "expected_service")| sort -_time
DS0022 File File Modification

Every systemd service must have a corresponding unit file on disk which can be monitored. Unit files are located in the /etc/systemd/system, /usr/lib/systemd/system/, and /home/$username/.config/systemd/user/ directories.

Analytic 1 - suspicious modification of service unit files

sourcetype=auditd(path IN ("/etc/systemd/system/", "/usr/lib/systemd/system/", "/home//.config/systemd/user/") AND (syscall="open" OR syscall="write"))| stats count by file_path, user, process_name, _time| where NOT match(file_path, "expected_admin_changes")| sort -_time
DS0009 Process Process Creation

Monitor for newly executed daemons that may abuse systemctl to execute commands or programs.

Analytic 1 - suspicious process execution of systemctl

sourcetype=sysmon_linux OR sourcetype=auditd(parent_process="systemd" OR process_name="daemon")| stats count by process_name, parent_process, user, cmdline, _time| where user!="root" AND NOT match(cmdline, "known_daemon_pattern")| sort -_time

DS0019 Service Service Creation

Monitor the creation or modification of system services via the systemctl command.

Analytic 1 - suspicious systemctl service creation

sourcetype=auditd(command="systemctl" AND command="enable" OR command="create")| stats count by user, command, process_name, _time| where NOT match(command, "whitelisted_services")| sort -_time

References

  1. Damon Garn. (2022, May 17). How to use systemctl to manage Linux services. Retrieved March 18, 2025.
  1. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.