Detect Systemctl in Elastic Security
Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.003 Systemctl
- Canonical reference
- https://attack.mitre.org/techniques/T1569/003/
Elastic Detection Query
sequence by host.id with maxspan=5m
[
any where event.category == "process" and
process.name == "systemctl" and
process.args : ("start", "enable", "daemon-reload", "link") and
(
process.parent.name : ("apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi", "lighttpd", "caddy", "haproxy") or
process.parent.parent.name : ("apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi")
)
] by process.parent.pid
/* Branch 2: Suspicious service unit file drop */
any where event.category == "file" and
event.type in ("creation", "change") and
file.extension == "service" and
file.path : ("/etc/systemd/system/*", "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/run/systemd/system/*") and
not process.name : ("dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman", "pip", "pip3", "conda", "flatpak") and
(
process.name : ("apache2", "nginx", "httpd", "php", "node", "java", "python", "python3", "ruby", "perl", "curl", "wget", "bash", "sh") or
process.args : ("/tmp/*", "/dev/shm/*", "/var/tmp/*", "wget *", "curl *", "nc *", "bash -i", "sh -i", "python -c", "perl -e", "base64 -d", "xmrig", "minerd")
)
/* Branch 3: Unprivileged systemctl enable/link */
process where event.category == "process" and
process.name == "systemctl" and
process.args : ("enable", "link", "daemon-reload") and
not user.name : ("root", "_", "systemd", "daemon") and
not process.parent.name : ("dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman") and
not process.parent.name : ("sshd", "login", "su", "sudo", "tmux", "screen")Detects abuse of systemctl to establish persistence or execute code via malicious systemd service units. Covers three attack patterns: (1) web/app server processes spawning systemctl, indicative of web shell or RCE to service persistence; (2) suspicious .service files dropped to systemd directories by non-package-manager processes; (3) unprivileged users attempting to enable or link services, suggesting privilege escalation attempts. Based on real-world TTPs from TeamTNT and similar threat actors deploying cryptomining or reverse shell services.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate configuration management tools (Ansible, Chef, Puppet, Salt) that deploy systemd service units as part of authorized infrastructure automation may match Branch 2
- Container entrypoint scripts or init systems inside Docker containers that call systemctl during startup can trigger Branch 3 if running as non-root
- Developer environments where application developers run their own services via systemctl --user may trigger Branch 3 false positives; filter by user or working directory context
- Monitoring agents (Datadog, New Relic, Dynatrace) installed via web-hosted scripts that create and enable their own service units will match Branch 2
Other platforms for T1569.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Start Persistence Service with Benign Payload
Expected signal: Auditd PATH record: write to /etc/systemd/system/df00tech-persist.service. Auditd EXECVE records: (1) systemctl daemon-reload, (2) systemctl enable df00tech-persist.service, (3) systemctl start df00tech-persist.service. Syslog/journal: 'Created symlink /etc/systemd/system/multi-user.target.wants/df00tech-persist.service', 'Starting System Performance Monitor...', 'Started System Performance Monitor'. MDE DeviceFileEvents: file create in /etc/systemd/system/. MDE DeviceProcessEvents: systemctl invocations with daemon-reload and enable subcommands.
- Test 2TeamTNT-Style Cryptomining Service Registration
Expected signal: Auditd PATH: write to /etc/systemd/system/kworker-d.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable kworker-d.service. Syslog: 'Created symlink...kworker-d.service'. MDE DeviceFileEvents: new .service file in /etc/systemd/system/ with InitiatingProcessCommandLine containing 'cp /tmp/df00tech-kworker.service'. SPL SuspiciousServiceName=1 fires on 'pool.example.com:4444' pattern and /tmp/ path reference in ExecStart.
- Test 3Reverse Shell Service Unit with /dev/shm Payload Path
Expected signal: Auditd PATH: write to /etc/systemd/system/netconfig.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable netconfig.service. Syslog: 'Created symlink...netconfig.service'. MDE DeviceFileEvents: new service file in /etc/systemd/system/ with /dev/shm pattern detectable if file content is captured.
- Test 4Web Process Spawning Systemctl (Web Shell Simulation)
Expected signal: Auditd EXECVE: systemctl daemon-reload with uid=33 (www-data on Debian/Ubuntu) or current test UID. Auditd SYSCALL: uid/auid fields identifying the web process account. MDE DeviceProcessEvents: systemctl with AccountName=www-data, InitiatingProcessFileName=bash, InitiatingProcessParentFileName may show sudo. Syslog: service enable/start events. The key telemetry is systemctl running under a web service account UID.
References (10)
- https://attack.mitre.org/techniques/T1569/003/
- https://www.redhat.com/en/blog/linux-systemctl-manage-services
- https://blog.talosintelligence.com/teamtnt-with-new-campaign-against/
- https://www.freedesktop.org/software/systemd/man/systemd.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
- https://attack.mitre.org/groups/G0139/
- https://www.crowdstrike.com/blog/carbon-spider-morphs-to-target-esxi-servers/
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Unlock Pro Content
Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.