T1569.003 IBM QRadar · QRadar

Detect Systemctl in IBM QRadar

Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.

MITRE ATT&CK

Tactic
Execution
Technique
T1569 System Services
Sub-technique
T1569.003 Systemctl
Canonical reference
https://attack.mitre.org/techniques/T1569/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
/* Branch 1: Web/App process spawning systemctl */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  'WebApp_Process_Spawned_Systemctl' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%' OR name ILIKE '%syslog%'
)
AND ("Process Name" ILIKE '%systemctl%' OR "Command" ILIKE '%systemctl%')
AND (
  "Command" ILIKE '%start%' OR "Command" ILIKE '%enable%' OR
  "Command" ILIKE '%daemon-reload%' OR "Command" ILIKE '%link%'
)
AND (
  "Parent Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%','%gunicorn%','%uwsgi%')
  OR "Grandparent Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%')
)
AND devicetime > (NOW() - 86400000)

UNION ALL

/* Branch 2: Suspicious service unit file written to systemd directories */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "File Path" AS command_line,
  "Parent Process Name" AS parent_process,
  'Suspicious_Service_Unit_File_Created' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%'
)
AND (
  "File Path" ILIKE '/etc/systemd/system/%.service' OR
  "File Path" ILIKE '/lib/systemd/system/%.service' OR
  "File Path" ILIKE '/usr/lib/systemd/system/%.service' OR
  "File Path" ILIKE '/run/systemd/system/%.service'
)
AND NOT (
  "Process Name" ILIKE ANY ('%dpkg%','%apt%','%rpm%','%yum%','%dnf%','%snap%','%zypper%','%pacman%','%pip%','%conda%','%flatpak%')
)
AND (
  "Process Name" ILIKE ANY ('%apache2%','%nginx%','%httpd%','%php%','%node%','%java%','%python%','%ruby%','%perl%','%curl%','%wget%','%bash%') OR
  "Command" ILIKE ANY ('%/tmp/%','%/dev/shm/%','%/var/tmp/%','%wget %','%curl %','% nc %','%bash -i%','%xmrig%','%minerd%','%base64 -d%')
)
AND devicetime > (NOW() - 86400000)

UNION ALL

/* Branch 3: Unprivileged systemctl enable/link */
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS actor_user,
  "hostname" AS device_name,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  'Unprivileged_Systemctl_Service_Enable' AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (
  SELECT id FROM SDE_LogSourceType WHERE name ILIKE '%linux%' OR name ILIKE '%auditd%'
)
AND ("Process Name" ILIKE '%systemctl%' OR "Command" ILIKE '%systemctl%')
AND ("Command" ILIKE '%enable%' OR "Command" ILIKE '%link%' OR "Command" ILIKE '%daemon-reload%')
AND "username" NOT ILIKE ANY ('%root%','%_systemd%','%daemon%')
AND NOT "Process Name" ILIKE ANY ('%dpkg%','%apt%','%rpm%','%yum%','%dnf%','%snap%','%zypper%','%pacman%','%pip%','%conda%')
AND NOT "Parent Process Name" ILIKE ANY ('%sshd%','%login%','% su %','%sudo%','%tmux%','%screen%')
AND devicetime > (NOW() - 86400000)
ORDER BY event_time DESC
high severity medium confidence

Three-branch AQL detection for malicious systemctl abuse on Linux systems. Branch 1 identifies web/application server processes (Apache, Nginx, PHP, Node.js, Python, Java) that spawn systemctl, indicating web shell or RCE exploitation leading to service persistence. Branch 2 detects new .service unit files written to systemd directories by suspicious processes or with payload indicators (paths in /tmp, /dev/shm, mining tool names). Branch 3 catches unprivileged accounts attempting to enable or link services outside normal admin workflows.

Data Sources

IBM QRadarLinux Audit (auditd)Linux syslogQRadar Linux Log Source

Required Tables

events

False Positives & Tuning

  • Automated deployment pipelines (Jenkins, GitLab CI, GitHub Actions self-hosted runners) executing systemctl commands as service accounts with limited privileges — whitelist known CI/CD service account usernames
  • Linux-based application installers that run as www-data or similar web service accounts and call systemctl during post-install configuration steps
  • Container orchestration systems (Kubernetes DaemonSet deployments, Docker with systemd integration) that create service units programmatically as part of node bootstrapping
Download portable Sigma rule (.yml)

Other platforms for T1569.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Start Persistence Service with Benign Payload

    Expected signal: Auditd PATH record: write to /etc/systemd/system/df00tech-persist.service. Auditd EXECVE records: (1) systemctl daemon-reload, (2) systemctl enable df00tech-persist.service, (3) systemctl start df00tech-persist.service. Syslog/journal: 'Created symlink /etc/systemd/system/multi-user.target.wants/df00tech-persist.service', 'Starting System Performance Monitor...', 'Started System Performance Monitor'. MDE DeviceFileEvents: file create in /etc/systemd/system/. MDE DeviceProcessEvents: systemctl invocations with daemon-reload and enable subcommands.

  2. Test 2TeamTNT-Style Cryptomining Service Registration

    Expected signal: Auditd PATH: write to /etc/systemd/system/kworker-d.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable kworker-d.service. Syslog: 'Created symlink...kworker-d.service'. MDE DeviceFileEvents: new .service file in /etc/systemd/system/ with InitiatingProcessCommandLine containing 'cp /tmp/df00tech-kworker.service'. SPL SuspiciousServiceName=1 fires on 'pool.example.com:4444' pattern and /tmp/ path reference in ExecStart.

  3. Test 3Reverse Shell Service Unit with /dev/shm Payload Path

    Expected signal: Auditd PATH: write to /etc/systemd/system/netconfig.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable netconfig.service. Syslog: 'Created symlink...netconfig.service'. MDE DeviceFileEvents: new service file in /etc/systemd/system/ with /dev/shm pattern detectable if file content is captured.

  4. Test 4Web Process Spawning Systemctl (Web Shell Simulation)

    Expected signal: Auditd EXECVE: systemctl daemon-reload with uid=33 (www-data on Debian/Ubuntu) or current test UID. Auditd SYSCALL: uid/auid fields identifying the web process account. MDE DeviceProcessEvents: systemctl with AccountName=www-data, InitiatingProcessFileName=bash, InitiatingProcessParentFileName may show sudo. Syslog: service enable/start events. The key telemetry is systemctl running under a web service account UID.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1569System Services

Related Sub-techniques

T1569.001LaunchctlT1569.002Service Execution

Related Techniques

T1543.002Systemd ServiceT1059.004Unix ShellT1505.003Web ShellT1496Resource HijackingT1078.003Local AccountsT1027Obfuscated Files or InformationT1053.003CronT1548.003Sudo and Sudo CachingT1070.003Clear Command History

Same Tactic: Execution

Popular Detections