T1569.003

Systemctl

Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.

Microsoft Sentinel / Defender

kusto

let PackageManagers = dynamic(["dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman", "pip", "pip3", "conda", "flatpak"]);
let SuspiciousParents = dynamic(["apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi", "lighttpd", "caddy", "haproxy"]);
let SuspiciousServiceContentPatterns = dynamic(["/tmp/", "/dev/shm/", "/var/tmp/", "wget ", "curl ", " nc ", "bash -i", "sh -i", "python -c", "perl -e", "ruby -e", "base64 -d", "xmrig", "minerd", "cpuminer", "mkfifo", "/dev/tcp/"]);
// Branch 1: systemctl invoked directly from web server, application server, or interpreter process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "systemctl"
| where ProcessCommandLine has_any ("start", "enable", "daemon-reload", "link")
| where InitiatingProcessFileName has_any (SuspiciousParents)
    or InitiatingProcessParentFileName has_any (SuspiciousParents)
| extend DetectionBranch = "WebApp_Process_Spawned_Systemctl"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, DetectionBranch
| union (
    // Branch 2: New .service unit file written to systemd directories by non-package-manager
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FolderPath has_any ("/etc/systemd/system/", "/lib/systemd/system/", "/usr/lib/systemd/system/", "/run/systemd/system/")
    | where FileName endswith ".service"
    | where not (InitiatingProcessFileName has_any (PackageManagers))
    | where InitiatingProcessFileName has_any (SuspiciousParents)
        or InitiatingProcessCommandLine has_any (SuspiciousServiceContentPatterns)
        or InitiatingProcessParentFileName has_any (SuspiciousParents)
    | extend DetectionBranch = "Suspicious_Service_Unit_File_Created"
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
              ProcessCommandLine=InitiatingProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, DetectionBranch
)
| union (
    // Branch 3: systemctl run by non-root non-admin user with enable or link (escalation attempt)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "systemctl"
    | where ProcessCommandLine has_any ("enable", "link", "daemon-reload")
    | where AccountName !in~ ("root", "_", "systemd", "daemon")
    | where not (InitiatingProcessFileName has_any (PackageManagers))
    | where InitiatingProcessParentFileName !in~ ("sshd", "login", "su", "sudo", "tmux", "screen")
    | extend DetectionBranch = "Unprivileged_Systemctl_Service_Enable"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, DetectionBranch
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Microsoft Defender for Endpoint (Linux)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

System administrators manually creating or enabling services via SSH sessions — parent process will be bash/sh spawned from sshd, not a web process, but may still trigger Branch 3
Configuration management tools (Ansible, Chef, Puppet, SaltStack) that connect over SSH and run systemctl to manage services — typically run as root with known service names
Software installation scripts (npm postinstall, Python setup.py, Go install) that register services as part of legitimate package installation
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build and deploy software including service registration steps
Container build processes that pre-populate systemd units inside container images as part of Docker RUN steps

Splunk

spl

index=linux_audit sourcetype="linux_audit" type=EXECVE
| search (a0="systemctl" OR a0="/bin/systemctl" OR a0="/usr/bin/systemctl")
| eval systemctl_action=coalesce(a1, "")
| eval service_arg=coalesce(a2, a3, "")
| where systemctl_action IN ("start", "enable", "daemon-reload", "link", "mask")
| eval SuspiciousServiceName=if(
    match(service_arg, "(\.sh\.service|\.py\.service|\.pl\.service|\/tmp\/|\/dev\/shm\/)") OR
    match(service_arg, "(xmrig|minerd|cpuminer|kworker[^d]|cryptominer|backdoor|revshell|netcat|ncat)"),
    1, 0
  )
| eval HighRiskAction=if(systemctl_action IN ("enable", "link") AND SuspiciousServiceName=1, 1, 0)
| eval RiskScore=SuspiciousServiceName + HighRiskAction
| join type=left pid [search index=linux_audit sourcetype="linux_audit" type=SYSCALL
    | eval pid=tostring(pid)
    | fields host, pid, ppid, comm, exe, uid, auid
    | rename ppid as parent_pid
  ]
| eval SuspiciousParentProcess=if(
    match(coalesce(comm, ""), "(apache2|nginx|httpd|php|php-fpm|node|java|python|python3|ruby|perl|gunicorn|uwsgi)"),
    1, 0
  )
| eval RiskScore=RiskScore + SuspiciousParentProcess
| table _time, host, user, uid, auid, systemctl_action, service_arg, comm, exe,
        SuspiciousServiceName, HighRiskAction, SuspiciousParentProcess, RiskScore, _raw
| sort - _time
| union [
    search index=syslog (sourcetype="syslog" OR sourcetype="linux_syslog") process="systemd"
    | search "Created symlink" "/etc/systemd/system/"
    | eval RiskScore=1
    | eval systemctl_action="enable"
    | eval service_arg=replace(_raw, ".*Created symlink.*?([\w\-\.]+\.service).*", "\1")
    | eval SuspiciousServiceName=if(
        match(service_arg, "(xmrig|miner|backdoor|revshell|netcat)"), 1, 0
      )
    | table _time, host, sourcetype, systemctl_action, service_arg, SuspiciousServiceName, RiskScore, _raw
  ]

high severity medium confidence

Data Sources

Process: Process Creation Linux auditd EXECVE records Syslog: systemd journal messages

Required Sourcetypes

linux_audit syslog

False Positives

Legitimate service management by system administrators via SSH — auditd will log these with auid matching the admin's UID
Automated configuration management runs by Ansible/Puppet/Chef that use systemctl to enable services — typically have recognizable process chains
Software installation via apt/yum/dnf that registers systemd services as post-install hooks — comm field will show package manager or its sub-processes
Monitoring and deployment agents (Datadog, New Relic, Elastic) that manage their own systemd service units during installation and updates
Developer workstations where users routinely create and manage local systemd --user services for development services

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
[
  any where event.category == "process" and
  process.name == "systemctl" and
  process.args : ("start", "enable", "daemon-reload", "link") and
  (
    process.parent.name : ("apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi", "lighttpd", "caddy", "haproxy") or
    process.parent.parent.name : ("apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi")
  )
] by process.parent.pid

/* Branch 2: Suspicious service unit file drop */
any where event.category == "file" and
event.type in ("creation", "change") and
file.extension == "service" and
file.path : ("/etc/systemd/system/*", "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/run/systemd/system/*") and
not process.name : ("dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman", "pip", "pip3", "conda", "flatpak") and
(
  process.name : ("apache2", "nginx", "httpd", "php", "node", "java", "python", "python3", "ruby", "perl", "curl", "wget", "bash", "sh") or
  process.args : ("/tmp/*", "/dev/shm/*", "/var/tmp/*", "wget *", "curl *", "nc *", "bash -i", "sh -i", "python -c", "perl -e", "base64 -d", "xmrig", "minerd")
)

/* Branch 3: Unprivileged systemctl enable/link */
process where event.category == "process" and
process.name == "systemctl" and
process.args : ("enable", "link", "daemon-reload") and
not user.name : ("root", "_", "systemd", "daemon") and
not process.parent.name : ("dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman") and
not process.parent.name : ("sshd", "login", "su", "sudo", "tmux", "screen")

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Linux process events Linux file events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* auditbeat-*

False Positives

Legitimate configuration management tools (Ansible, Chef, Puppet, Salt) that deploy systemd service units as part of authorized infrastructure automation may match Branch 2
Container entrypoint scripts or init systems inside Docker containers that call systemctl during startup can trigger Branch 3 if running as non-root
Developer environments where application developers run their own services via systemctl --user may trigger Branch 3 false positives; filter by user or working directory context
Monitoring agents (Datadog, New Relic, Dynatrace) installed via web-hosted scripts that create and enable their own service units will match Branch 2

IBM QRadar (AQL)

sql

/* Branch 1: Web/App process spawning systemctl */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  'WebApp_Process_Spawned_Systemctl' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%' OR name ILIKE '%syslog%'
)
AND ("Process Name" ILIKE '%systemctl%' OR "Command" ILIKE '%systemctl%')
AND (
  "Command" ILIKE '%start%' OR "Command" ILIKE '%enable%' OR
  "Command" ILIKE '%daemon-reload%' OR "Command" ILIKE '%link%'
)
AND (
  "Parent Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%','%gunicorn%','%uwsgi%')
  OR "Grandparent Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%')
)
AND devicetime > (NOW() - 86400000)

UNION ALL

/* Branch 2: Suspicious service unit file written to systemd directories */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "File Path" AS command_line,
  "Parent Process Name" AS parent_process,
  'Suspicious_Service_Unit_File_Created' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%'
)
AND (
  "File Path" ILIKE '/etc/systemd/system/%.service' OR
  "File Path" ILIKE '/lib/systemd/system/%.service' OR
  "File Path" ILIKE '/usr/lib/systemd/system/%.service' OR
  "File Path" ILIKE '/run/systemd/system/%.service'
)
AND NOT (
  "Process Name" ILIKE ANY ('%dpkg%','%apt%','%rpm%','%yum%','%dnf%','%snap%','%zypper%','%pacman%','%pip%','%conda%','%flatpak%')
)
AND (
  "Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%','%curl%','%wget%','%bash%') OR
  "Command" ILIKE ANY ('%/tmp/%','%/dev/shm/%','%/var/tmp/%','%wget %','%curl %','% nc %','%bash -i%','%xmrig%','%minerd%','%base64 -d%')
)
AND devicetime > (NOW() - 86400000)

UNION ALL

/* Branch 3: Unprivileged systemctl enable/link */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  'Unprivileged_Systemctl_Service_Enable' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%'
)
AND ("Process Name" ILIKE '%systemctl%' OR "Command" ILIKE '%systemctl%')
AND ("Command" ILIKE '%enable%' OR "Command" ILIKE '%link%' OR "Command" ILIKE '%daemon-reload%')
AND "username" NOT ILIKE ANY ('%root%','%_systemd%','%daemon%')
AND NOT "Process Name" ILIKE ANY ('%dpkg%','%apt%','%rpm%','%yum%','%dnf%','%snap%','%zypper%','%pacman%','%pip%','%conda%')
AND NOT "Parent Process Name" ILIKE ANY ('%sshd%','%login%','% su %','%sudo%','%tmux%','%screen%')
AND devicetime > (NOW() - 86400000)
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar Linux Audit (auditd) Linux syslog QRadar Linux Log Source

Required Tables

events

False Positives

Automated deployment pipelines (Jenkins, GitLab CI, GitHub Actions self-hosted runners) executing systemctl commands as service accounts with limited privileges — whitelist known CI/CD service account usernames
Linux-based application installers that run as www-data or similar web service accounts and call systemctl during post-install configuration steps
Container orchestration systems (Kubernetes DaemonSet deployments, Docker with systemd integration) that create service units programmatically as part of node bootstrapping

Sumo Logic CSE

sql

/* Branch 1: Web/App process spawning systemctl */
(_sourceCategory=linux/audit OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/linux)
| where type = "EXECVE" OR _raw matches /systemctl/
| parse regex field=_raw "a0=\"?(?<a0>[^\"\s]+)" nodrop
| parse regex field=_raw "a1=\"?(?<a1>[^\"\s]+)" nodrop
| parse regex field=_raw "a2=\"?(?<a2>[^\"\s]+)" nodrop
| parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
| parse regex field=_raw "exe=\"?(?<exe>[^\"\s]+)" nodrop
| parse regex field=_raw "uid=(?<uid>\d+)" nodrop
| parse regex field=_raw "ppid=(?<ppid>\d+)" nodrop
| where (a0 = "systemctl" OR a0 = "/bin/systemctl" OR a0 = "/usr/bin/systemctl")
| where a1 in ("start", "enable", "daemon-reload", "link", "mask")
| where comm matches /apache2|nginx|httpd|php|php-fpm|node|java|python|python3|ruby|perl|gunicorn|uwsgi|lighttpd|caddy|haproxy/
| eval detection_branch = "WebApp_Process_Spawned_Systemctl"
| eval risk_score = 3
| fields _messageTime, _sourceHost, uid, comm, exe, a1, a2, detection_branch, risk_score

/* Branch 2: Service unit file creation in systemd directories */
| union (_sourceCategory=linux/audit OR _sourceCategory=endpoint/linux
  | where type = "PATH" OR type = "CREATE"
  | parse regex field=_raw "name=\"?(?<file_path>[^\"\s]+)" nodrop
  | parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
  | parse regex field=_raw "exe=\"?(?<exe>[^\"\s]+)" nodrop
  | parse regex field=_raw "uid=(?<uid>\d+)" nodrop
  | where file_path matches /\/(etc|lib|usr\/lib|run)\/systemd\/system\/.*\.service/
  | where !(comm matches /dpkg|apt|apt-get|rpm|yum|dnf|snap|packagekitd|zypper|pacman|pip|pip3|conda|flatpak/)
  | where (comm matches /apache2|nginx|httpd|php|node|java|python|ruby|perl|curl|wget|bash|sh/
    OR exe matches /\/tmp/|\/dev/shm/|\/var/tmp//
    OR _raw matches /xmrig|minerd|cpuminer|mkfifo|\/dev/tcp\/|base64 -d/)
  | eval detection_branch = "Suspicious_Service_Unit_File_Created"
  | eval risk_score = 4
  | fields _messageTime, _sourceHost, uid, comm, exe, file_path, detection_branch, risk_score
)

/* Branch 3: Unprivileged systemctl enable */
| union (_sourceCategory=linux/audit
  | where type = "EXECVE"
  | parse regex field=_raw "a0=\"?(?<a0>[^\"\s]+)" nodrop
  | parse regex field=_raw "a1=\"?(?<a1>[^\"\s]+)" nodrop
  | parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
  | parse regex field=_raw "uid=(?<uid>\d+)" nodrop
  | parse regex field=_raw "auid=(?<auid>\d+)" nodrop
  | where (a0 = "systemctl" OR a0 = "/bin/systemctl" OR a0 = "/usr/bin/systemctl")
  | where a1 in ("enable", "link", "daemon-reload")
  | where uid != "0" AND auid !in ("4294967295", "0")
  | where !(comm matches /dpkg|apt|rpm|yum|dnf|snap|zypper|pacman|pip|conda/)
  | where !(comm matches /sshd|login|su$|sudo|tmux|screen/)
  | eval detection_branch = "Unprivileged_Systemctl_Service_Enable"
  | eval risk_score = 2
  | fields _messageTime, _sourceHost, uid, auid, comm, a1, detection_branch, risk_score
)

| sort by risk_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Linux Audit (auditd via syslog) Sumo Logic Installed Collector on Linux hosts

Required Tables

linux/audit linux/syslog endpoint/linux

False Positives

Orchestration and provisioning agents (Puppet, SaltStack, Ansible executed via sudo as web-service accounts) that deploy application service units as part of change management workflows — apply allowlist on known automation account names or originating IPs
systemd user-unit management by developers running applications in user session space (systemctl --user) where uid is non-zero; filter on args containing '--user' flag
Security monitoring agents (Wazuh, OSSEC, CrowdStrike) that install themselves as systemd services during initial deployment and run their installer from non-standard parent processes

Google Chronicle / SecOps

yaral

rule t1569_003_systemctl_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1569.003 - malicious systemctl abuse for persistence or code execution. Covers web process spawning systemctl, suspicious service unit file creation, and unprivileged service enablement."
    mitre_attack_tactic = "Execution, Persistence"
    mitre_attack_technique = "T1569.003"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-21"
    platform = "Linux"

  events:
    // Branch 1: Web/app server spawning systemctl
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.target.process.file.full_path = /\/bin\/systemctl|\/usr\/bin\/systemctl$|^systemctl$/
    (
      $e1.target.process.command_line = /\bstart\b/ or
      $e1.target.process.command_line = /\benable\b/ or
      $e1.target.process.command_line = /daemon-reload/ or
      $e1.target.process.command_line = /\blink\b/
    )
    (
      $e1.principal.process.file.full_path = /apache2|nginx|httpd|php-fpm|php|node|nodejs|java|python3?|ruby|perl|gunicorn|uwsgi|lighttpd|caddy|haproxy/ or
      $e1.principal.process.parent_process.file.full_path = /apache2|nginx|httpd|php-fpm|php|node|nodejs|java|python3?|ruby|perl|gunicorn|uwsgi/
    )
    $e1.principal.hostname = $hostname
    $detection_branch1 = "WebApp_Process_Spawned_Systemctl"

  match:
    $hostname over 5m

  condition:
    $e1
}

rule t1569_003_service_unit_file_drop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious .service unit files written to systemd directories by non-package-manager or web-process parents — a key indicator of TeamTNT-style cryptomining or reverse shell persistence."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1569.003"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-21"
    platform = "Linux"

  events:
    $e2.metadata.event_type = "FILE_CREATION"
    $e2.target.file.full_path = /^\/etc\/systemd\/system\/.*\.service$|^\/lib\/systemd\/system\/.*\.service$|^\/usr\/lib\/systemd\/system\/.*\.service$|^\/run\/systemd\/system\/.*\.service$/
    not $e2.principal.process.file.full_path = /dpkg|apt-get|apt|rpm|yum|dnf|snap|packagekitd|zypper|pacman|pip3?|conda|flatpak/
    (
      $e2.principal.process.file.full_path = /apache2|nginx|httpd|php|node|java|python3?|ruby|perl|curl|wget|bash|sh$/ or
      $e2.principal.process.command_line = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|wget |curl | nc |bash -i|sh -i|python -c|perl -e|base64 -d|xmrig|minerd|cpuminer|mkfifo|\/dev\/tcp\//
    )
    $e2.principal.hostname = $hostname2

  match:
    $hostname2 over 1m

  condition:
    $e2
}

rule t1569_003_unprivileged_service_enable {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-root, non-system accounts invoking systemctl enable, link, or daemon-reload outside of package manager or interactive login session context — indicates privilege escalation attempt or persistence by low-privilege compromised account."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1569.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-21"
    platform = "Linux"

  events:
    $e3.metadata.event_type = "PROCESS_LAUNCH"
    $e3.target.process.file.full_path = /\/bin\/systemctl|\/usr\/bin\/systemctl$|^systemctl$/
    (
      $e3.target.process.command_line = /\benable\b/ or
      $e3.target.process.command_line = /\blink\b/ or
      $e3.target.process.command_line = /daemon-reload/
    )
    not $e3.principal.user.userid = "root"
    not $e3.principal.user.userid = /^_|^systemd|^daemon/
    not $e3.principal.process.file.full_path = /dpkg|apt|rpm|yum|dnf|snap|zypper|pacman|pip3?|conda|flatpak/
    not $e3.principal.process.parent_process.file.full_path = /\/usr\/sbin\/sshd|^\/bin\/login$|^\/bin\/su$|^\/usr\/bin\/sudo$|tmux|screen/
    $e3.principal.hostname = $hostname3

  match:
    $hostname3 over 10m

  condition:
    $e3
}

high severity high confidence

Data Sources

Google Chronicle Google Chronicle Unified Data Model (UDM) Linux Endpoint telemetry via Chronicle forwarder auditd or EDR agent feeding Chronicle

Required Tables

UDM events: PROCESS_LAUNCH, FILE_CREATION

False Positives

CI/CD pipeline runners (GitHub Actions, GitLab CI, Jenkins) that execute as www-data or application service accounts and call systemctl as part of automated deployment scripts — add runner hostname patterns to exclusion lists in rule meta conditions
Container-based workloads using systemd inside containers (systemd-nspawn, podman with --systemd=true) where web-facing processes legitimately manage container-internal services via systemctl
Third-party software installation scripts (e.g., Elastic Agent, Datadog Agent, CrowdStrike Falcon installer) that run from temporary download paths and create .service files — correlate with known installer hashes to suppress

CrowdStrike LogScale (CQL)

cql

// Branch 1: Web/App process spawning systemctl
#event_simpleName = ProcessRollup2
| FileName = "systemctl" OR ImageFileName = /\/bin\/systemctl|\/usr\/bin\/systemctl/
| CommandLine = /(\bstart\b|\benable\b|daemon-reload|\blink\b)/
| ParentBaseFileName = /apache2|nginx|httpd|php-fpm|php|node(js)?|java|python3?|ruby|perl|gunicorn|uwsgi|lighttpd|caddy|haproxy/
    OR GrandparentBaseFileName = /apache2|nginx|httpd|php-fpm|php|node(js)?|java|python3?|ruby|perl|gunicorn|uwsgi/
| eval detection_branch = "WebApp_Process_Spawned_Systemctl"
| eval risk_score = 3
| table(_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, GrandparentBaseFileName, detection_branch, risk_score)

// Branch 2: Suspicious service unit file creation in systemd directories
| union (
  #event_simpleName = /^(PeFileWritten|SyntheticProcessRollup2|NewExecutableWritten|FileOpenInfo)/
  | TargetFileName = /^\/(etc|lib|usr\/lib|run)\/systemd\/system\/.+\.service$/
  | NOT ParentBaseFileName = /dpkg|apt-get|apt|rpm|yum|dnf|snap|packagekitd|zypper|pacman|pip3?|conda|flatpak/
  | ParentBaseFileName = /apache2|nginx|httpd|php|node|java|python3?|ruby|perl|curl|wget|bash$|\bsh$/
      OR ParentCommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|wget |curl | nc |bash -i|sh -i|python -c|perl -e|base64 -d|xmrig|minerd|cpuminer|mkfifo|\/dev\/tcp\//
  | eval detection_branch = "Suspicious_Service_Unit_File_Created"
  | eval risk_score = 4
  | table(_time, ComputerName, UserName, TargetFileName, ParentBaseFileName, ParentCommandLine, detection_branch, risk_score)
)

// Branch 3: Unprivileged user enabling/linking services
| union (
  #event_simpleName = ProcessRollup2
  | FileName = "systemctl" OR ImageFileName = /\/bin\/systemctl|\/usr\/bin\/systemctl/
  | CommandLine = /(\benable\b|\blink\b|daemon-reload)/
  | NOT UserName = /^root$|^_|^systemd|^daemon/
  | NOT ParentBaseFileName = /dpkg|apt|rpm|yum|dnf|snap|zypper|pacman|pip3?|conda|flatpak/
  | NOT ParentBaseFileName = /sshd|login|\bsu\b|sudo|tmux|screen/
  | eval detection_branch = "Unprivileged_Systemctl_Service_Enable"
  | eval risk_score = 2
  | table(_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_branch, risk_score)
)

| sort(field=risk_score, order=desc)
| sort(field=@timestamp, order=desc)
| groupBy([ComputerName, UserName, detection_branch], function=[
    collect([CommandLine, ParentBaseFileName, risk_score]),
    count(as=event_count)
  ])
| where event_count >= 1

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale Falcon sensor process events Falcon sensor file events

Required Tables

ProcessRollup2 PeFileWritten SyntheticProcessRollup2 NewExecutableWritten

False Positives

Automated infrastructure provisioning tools running as web-service accounts (e.g., cloud-init, user_data scripts on EC2/GCP instances) that create and enable service units immediately after host boot — scope suppression to early boot window using ComputerName and BootId correlation
Development machine workflows where engineers run local web servers (Node.js, Python Flask/FastAPI) and manage associated systemd user services from the same terminal session — filter by UserName in developer LDAP groups or workstation asset tags
Security operations tools and monitoring agents that install as systemd services via a downloaded installer script (Wazuh, Elastic Agent, Datadog) where the installer binary runs from /tmp before moving to a permanent path — correlate with known installer binary hashes to suppress

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Systemctl

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections