Detect Systemctl in CrowdStrike LogScale
Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.003 Systemctl
- Canonical reference
- https://attack.mitre.org/techniques/T1569/003/
LogScale Detection Query
// Branch 1: Web/App process spawning systemctl
#event_simpleName = ProcessRollup2
| FileName = "systemctl" OR ImageFileName = /\/bin\/systemctl|\/usr\/bin\/systemctl/
| CommandLine = /(\bstart\b|\benable\b|daemon-reload|\blink\b)/
| ParentBaseFileName = /apache2|nginx|httpd|php-fpm|php|node(js)?|java|python3?|ruby|perl|gunicorn|uwsgi|lighttpd|caddy|haproxy/
OR GrandparentBaseFileName = /apache2|nginx|httpd|php-fpm|php|node(js)?|java|python3?|ruby|perl|gunicorn|uwsgi/
| eval detection_branch = "WebApp_Process_Spawned_Systemctl"
| eval risk_score = 3
| table(_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, GrandparentBaseFileName, detection_branch, risk_score)
// Branch 2: Suspicious service unit file creation in systemd directories
| union (
#event_simpleName = /^(PeFileWritten|SyntheticProcessRollup2|NewExecutableWritten|FileOpenInfo)/
| TargetFileName = /^\/(etc|lib|usr\/lib|run)\/systemd\/system\/.+\.service$/
| NOT ParentBaseFileName = /dpkg|apt-get|apt|rpm|yum|dnf|snap|packagekitd|zypper|pacman|pip3?|conda|flatpak/
| ParentBaseFileName = /apache2|nginx|httpd|php|node|java|python3?|ruby|perl|curl|wget|bash$|\bsh$/
OR ParentCommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|wget |curl | nc |bash -i|sh -i|python -c|perl -e|base64 -d|xmrig|minerd|cpuminer|mkfifo|\/dev\/tcp\//
| eval detection_branch = "Suspicious_Service_Unit_File_Created"
| eval risk_score = 4
| table(_time, ComputerName, UserName, TargetFileName, ParentBaseFileName, ParentCommandLine, detection_branch, risk_score)
)
// Branch 3: Unprivileged user enabling/linking services
| union (
#event_simpleName = ProcessRollup2
| FileName = "systemctl" OR ImageFileName = /\/bin\/systemctl|\/usr\/bin\/systemctl/
| CommandLine = /(\benable\b|\blink\b|daemon-reload)/
| NOT UserName = /^root$|^_|^systemd|^daemon/
| NOT ParentBaseFileName = /dpkg|apt|rpm|yum|dnf|snap|zypper|pacman|pip3?|conda|flatpak/
| NOT ParentBaseFileName = /sshd|login|\bsu\b|sudo|tmux|screen/
| eval detection_branch = "Unprivileged_Systemctl_Service_Enable"
| eval risk_score = 2
| table(_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_branch, risk_score)
)
| sort(field=risk_score, order=desc)
| sort(field=@timestamp, order=desc)
| groupBy([ComputerName, UserName, detection_branch], function=[
collect([CommandLine, ParentBaseFileName, risk_score]),
count(as=event_count)
])
| where event_count >= 1Three-branch CrowdStrike LogScale (Falcon) detection for T1569.003 systemctl abuse using Falcon process telemetry. Branch 1 uses ProcessRollup2 events to identify systemctl spawned by web/application server processes (Apache, Nginx, PHP, Node, Java, Python) — a hallmark of post-exploitation web shell chains pivoting to service persistence. Branch 2 monitors file write events to systemd unit directories from non-package-manager processes with suspicious parent command lines or payload staging paths. Branch 3 detects non-privileged accounts invoking systemctl enable/link outside of package manager or interactive admin session context. Results are grouped by host, user, and detection branch for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Automated infrastructure provisioning tools running as web-service accounts (e.g., cloud-init, user_data scripts on EC2/GCP instances) that create and enable service units immediately after host boot — scope suppression to early boot window using ComputerName and BootId correlation
- Development machine workflows where engineers run local web servers (Node.js, Python Flask/FastAPI) and manage associated systemd user services from the same terminal session — filter by UserName in developer LDAP groups or workstation asset tags
- Security operations tools and monitoring agents that install as systemd services via a downloaded installer script (Wazuh, Elastic Agent, Datadog) where the installer binary runs from /tmp before moving to a permanent path — correlate with known installer binary hashes to suppress
Other platforms for T1569.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Start Persistence Service with Benign Payload
Expected signal: Auditd PATH record: write to /etc/systemd/system/df00tech-persist.service. Auditd EXECVE records: (1) systemctl daemon-reload, (2) systemctl enable df00tech-persist.service, (3) systemctl start df00tech-persist.service. Syslog/journal: 'Created symlink /etc/systemd/system/multi-user.target.wants/df00tech-persist.service', 'Starting System Performance Monitor...', 'Started System Performance Monitor'. MDE DeviceFileEvents: file create in /etc/systemd/system/. MDE DeviceProcessEvents: systemctl invocations with daemon-reload and enable subcommands.
- Test 2TeamTNT-Style Cryptomining Service Registration
Expected signal: Auditd PATH: write to /etc/systemd/system/kworker-d.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable kworker-d.service. Syslog: 'Created symlink...kworker-d.service'. MDE DeviceFileEvents: new .service file in /etc/systemd/system/ with InitiatingProcessCommandLine containing 'cp /tmp/df00tech-kworker.service'. SPL SuspiciousServiceName=1 fires on 'pool.example.com:4444' pattern and /tmp/ path reference in ExecStart.
- Test 3Reverse Shell Service Unit with /dev/shm Payload Path
Expected signal: Auditd PATH: write to /etc/systemd/system/netconfig.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable netconfig.service. Syslog: 'Created symlink...netconfig.service'. MDE DeviceFileEvents: new service file in /etc/systemd/system/ with /dev/shm pattern detectable if file content is captured.
- Test 4Web Process Spawning Systemctl (Web Shell Simulation)
Expected signal: Auditd EXECVE: systemctl daemon-reload with uid=33 (www-data on Debian/Ubuntu) or current test UID. Auditd SYSCALL: uid/auid fields identifying the web process account. MDE DeviceProcessEvents: systemctl with AccountName=www-data, InitiatingProcessFileName=bash, InitiatingProcessParentFileName may show sudo. Syslog: service enable/start events. The key telemetry is systemctl running under a web service account UID.
References (10)
- https://attack.mitre.org/techniques/T1569/003/
- https://www.redhat.com/en/blog/linux-systemctl-manage-services
- https://blog.talosintelligence.com/teamtnt-with-new-campaign-against/
- https://www.freedesktop.org/software/systemd/man/systemd.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
- https://attack.mitre.org/groups/G0139/
- https://www.crowdstrike.com/blog/carbon-spider-morphs-to-target-esxi-servers/
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Unlock Pro Content
Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.