Detect Systemctl in Microsoft Sentinel
Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.003 Systemctl
- Canonical reference
- https://attack.mitre.org/techniques/T1569/003/
KQL Detection Query
let PackageManagers = dynamic(["dpkg", "apt", "apt-get", "rpm", "yum", "dnf", "snap", "packagekitd", "zypper", "pacman", "pip", "pip3", "conda", "flatpak"]);
let SuspiciousParents = dynamic(["apache2", "nginx", "httpd", "php-fpm", "php", "node", "nodejs", "java", "python", "python3", "ruby", "perl", "gunicorn", "uwsgi", "lighttpd", "caddy", "haproxy"]);
let SuspiciousServiceContentPatterns = dynamic(["/tmp/", "/dev/shm/", "/var/tmp/", "wget ", "curl ", " nc ", "bash -i", "sh -i", "python -c", "perl -e", "ruby -e", "base64 -d", "xmrig", "minerd", "cpuminer", "mkfifo", "/dev/tcp/"]);
// Branch 1: systemctl invoked directly from web server, application server, or interpreter process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "systemctl"
| where ProcessCommandLine has_any ("start", "enable", "daemon-reload", "link")
| where InitiatingProcessFileName has_any (SuspiciousParents)
or InitiatingProcessParentFileName has_any (SuspiciousParents)
| extend DetectionBranch = "WebApp_Process_Spawned_Systemctl"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionBranch
| union (
// Branch 2: New .service unit file written to systemd directories by non-package-manager
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("/etc/systemd/system/", "/lib/systemd/system/", "/usr/lib/systemd/system/", "/run/systemd/system/")
| where FileName endswith ".service"
| where not (InitiatingProcessFileName has_any (PackageManagers))
| where InitiatingProcessFileName has_any (SuspiciousParents)
or InitiatingProcessCommandLine has_any (SuspiciousServiceContentPatterns)
or InitiatingProcessParentFileName has_any (SuspiciousParents)
| extend DetectionBranch = "Suspicious_Service_Unit_File_Created"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
ProcessCommandLine=InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionBranch
)
| union (
// Branch 3: systemctl run by non-root non-admin user with enable or link (escalation attempt)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "systemctl"
| where ProcessCommandLine has_any ("enable", "link", "daemon-reload")
| where AccountName !in~ ("root", "_", "systemd", "daemon")
| where not (InitiatingProcessFileName has_any (PackageManagers))
| where InitiatingProcessParentFileName !in~ ("sshd", "login", "su", "sudo", "tmux", "screen")
| extend DetectionBranch = "Unprivileged_Systemctl_Service_Enable"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DetectionBranch
)
| sort by Timestamp descDetects malicious use of systemctl to install and start attacker-controlled systemd services on Linux endpoints monitored by Microsoft Defender for Endpoint (MDE). Three detection branches cover: (1) systemctl invoked from web/application server or interpreter processes indicating web shell-to-service escalation, (2) new service unit files written to systemd directories by non-package-manager processes with suspicious content patterns such as /dev/shm, reverse shell indicators, or cryptomining tool names, and (3) non-privileged users attempting to enable or link systemd services. Requires MDE Linux agent with DeviceProcessEvents and DeviceFileEvents telemetry.
Data Sources
Required Tables
False Positives & Tuning
- System administrators manually creating or enabling services via SSH sessions — parent process will be bash/sh spawned from sshd, not a web process, but may still trigger Branch 3
- Configuration management tools (Ansible, Chef, Puppet, SaltStack) that connect over SSH and run systemctl to manage services — typically run as root with known service names
- Software installation scripts (npm postinstall, Python setup.py, Go install) that register services as part of legitimate package installation
- CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build and deploy software including service registration steps
- Container build processes that pre-populate systemd units inside container images as part of Docker RUN steps
Other platforms for T1569.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Start Persistence Service with Benign Payload
Expected signal: Auditd PATH record: write to /etc/systemd/system/df00tech-persist.service. Auditd EXECVE records: (1) systemctl daemon-reload, (2) systemctl enable df00tech-persist.service, (3) systemctl start df00tech-persist.service. Syslog/journal: 'Created symlink /etc/systemd/system/multi-user.target.wants/df00tech-persist.service', 'Starting System Performance Monitor...', 'Started System Performance Monitor'. MDE DeviceFileEvents: file create in /etc/systemd/system/. MDE DeviceProcessEvents: systemctl invocations with daemon-reload and enable subcommands.
- Test 2TeamTNT-Style Cryptomining Service Registration
Expected signal: Auditd PATH: write to /etc/systemd/system/kworker-d.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable kworker-d.service. Syslog: 'Created symlink...kworker-d.service'. MDE DeviceFileEvents: new .service file in /etc/systemd/system/ with InitiatingProcessCommandLine containing 'cp /tmp/df00tech-kworker.service'. SPL SuspiciousServiceName=1 fires on 'pool.example.com:4444' pattern and /tmp/ path reference in ExecStart.
- Test 3Reverse Shell Service Unit with /dev/shm Payload Path
Expected signal: Auditd PATH: write to /etc/systemd/system/netconfig.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable netconfig.service. Syslog: 'Created symlink...netconfig.service'. MDE DeviceFileEvents: new service file in /etc/systemd/system/ with /dev/shm pattern detectable if file content is captured.
- Test 4Web Process Spawning Systemctl (Web Shell Simulation)
Expected signal: Auditd EXECVE: systemctl daemon-reload with uid=33 (www-data on Debian/Ubuntu) or current test UID. Auditd SYSCALL: uid/auid fields identifying the web process account. MDE DeviceProcessEvents: systemctl with AccountName=www-data, InitiatingProcessFileName=bash, InitiatingProcessParentFileName may show sudo. Syslog: service enable/start events. The key telemetry is systemctl running under a web service account UID.
References (10)
- https://attack.mitre.org/techniques/T1569/003/
- https://www.redhat.com/en/blog/linux-systemctl-manage-services
- https://blog.talosintelligence.com/teamtnt-with-new-campaign-against/
- https://www.freedesktop.org/software/systemd/man/systemd.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
- https://attack.mitre.org/groups/G0139/
- https://www.crowdstrike.com/blog/carbon-spider-morphs-to-target-esxi-servers/
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Unlock Pro Content
Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.