Detect Systemctl in Sumo Logic CSE
Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Sub-technique
- T1569.003 Systemctl
- Canonical reference
- https://attack.mitre.org/techniques/T1569/003/
Sumo Detection Query
/* Branch 1: Web/App process spawning systemctl */
(_sourceCategory=linux/audit OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/linux)
| where type = "EXECVE" OR _raw matches /systemctl/
| parse regex field=_raw "a0=\"?(?<a0>[^\"\s]+)" nodrop
| parse regex field=_raw "a1=\"?(?<a1>[^\"\s]+)" nodrop
| parse regex field=_raw "a2=\"?(?<a2>[^\"\s]+)" nodrop
| parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
| parse regex field=_raw "exe=\"?(?<exe>[^\"\s]+)" nodrop
| parse regex field=_raw "uid=(?<uid>\d+)" nodrop
| parse regex field=_raw "ppid=(?<ppid>\d+)" nodrop
| where (a0 = "systemctl" OR a0 = "/bin/systemctl" OR a0 = "/usr/bin/systemctl")
| where a1 in ("start", "enable", "daemon-reload", "link", "mask")
| where comm matches /apache2|nginx|httpd|php|php-fpm|node|java|python|python3|ruby|perl|gunicorn|uwsgi|lighttpd|caddy|haproxy/
| eval detection_branch = "WebApp_Process_Spawned_Systemctl"
| eval risk_score = 3
| fields _messageTime, _sourceHost, uid, comm, exe, a1, a2, detection_branch, risk_score
/* Branch 2: Service unit file creation in systemd directories */
| union (_sourceCategory=linux/audit OR _sourceCategory=endpoint/linux
| where type = "PATH" OR type = "CREATE"
| parse regex field=_raw "name=\"?(?<file_path>[^\"\s]+)" nodrop
| parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
| parse regex field=_raw "exe=\"?(?<exe>[^\"\s]+)" nodrop
| parse regex field=_raw "uid=(?<uid>\d+)" nodrop
| where file_path matches /\/(etc|lib|usr\/lib|run)\/systemd\/system\/.*\.service/
| where !(comm matches /dpkg|apt|apt-get|rpm|yum|dnf|snap|packagekitd|zypper|pacman|pip|pip3|conda|flatpak/)
| where (comm matches /apache2|nginx|httpd|php|node|java|python|ruby|perl|curl|wget|bash|sh/
OR exe matches /\/tmp/|\/dev/shm/|\/var/tmp//
OR _raw matches /xmrig|minerd|cpuminer|mkfifo|\/dev/tcp\/|base64 -d/)
| eval detection_branch = "Suspicious_Service_Unit_File_Created"
| eval risk_score = 4
| fields _messageTime, _sourceHost, uid, comm, exe, file_path, detection_branch, risk_score
)
/* Branch 3: Unprivileged systemctl enable */
| union (_sourceCategory=linux/audit
| where type = "EXECVE"
| parse regex field=_raw "a0=\"?(?<a0>[^\"\s]+)" nodrop
| parse regex field=_raw "a1=\"?(?<a1>[^\"\s]+)" nodrop
| parse regex field=_raw "comm=\"?(?<comm>[^\"\s]+)" nodrop
| parse regex field=_raw "uid=(?<uid>\d+)" nodrop
| parse regex field=_raw "auid=(?<auid>\d+)" nodrop
| where (a0 = "systemctl" OR a0 = "/bin/systemctl" OR a0 = "/usr/bin/systemctl")
| where a1 in ("enable", "link", "daemon-reload")
| where uid != "0" AND auid !in ("4294967295", "0")
| where !(comm matches /dpkg|apt|rpm|yum|dnf|snap|zypper|pacman|pip|conda/)
| where !(comm matches /sshd|login|su$|sudo|tmux|screen/)
| eval detection_branch = "Unprivileged_Systemctl_Service_Enable"
| eval risk_score = 2
| fields _messageTime, _sourceHost, uid, auid, comm, a1, detection_branch, risk_score
)
| sort by risk_score desc, _messageTime descMulti-branch Sumo Logic detection for T1569.003 systemctl abuse. Parses Linux audit (auditd) EXECVE, PATH, and CREATE record types to identify: (1) web/application server processes spawning systemctl to install persistence after web shell compromise; (2) new .service unit files dropped to systemd directories by suspicious or web-facing processes; (3) non-root, non-system accounts invoking systemctl enable or link outside of package manager or SSH session context. Risk scored with higher values for service file drops and web-process systemctl chains.
Data Sources
Required Tables
False Positives & Tuning
- Orchestration and provisioning agents (Puppet, SaltStack, Ansible executed via sudo as web-service accounts) that deploy application service units as part of change management workflows — apply allowlist on known automation account names or originating IPs
- systemd user-unit management by developers running applications in user session space (systemctl --user) where uid is non-zero; filter on args containing '--user' flag
- Security monitoring agents (Wazuh, OSSEC, CrowdStrike) that install themselves as systemd services during initial deployment and run their installer from non-standard parent processes
Other platforms for T1569.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Start Persistence Service with Benign Payload
Expected signal: Auditd PATH record: write to /etc/systemd/system/df00tech-persist.service. Auditd EXECVE records: (1) systemctl daemon-reload, (2) systemctl enable df00tech-persist.service, (3) systemctl start df00tech-persist.service. Syslog/journal: 'Created symlink /etc/systemd/system/multi-user.target.wants/df00tech-persist.service', 'Starting System Performance Monitor...', 'Started System Performance Monitor'. MDE DeviceFileEvents: file create in /etc/systemd/system/. MDE DeviceProcessEvents: systemctl invocations with daemon-reload and enable subcommands.
- Test 2TeamTNT-Style Cryptomining Service Registration
Expected signal: Auditd PATH: write to /etc/systemd/system/kworker-d.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable kworker-d.service. Syslog: 'Created symlink...kworker-d.service'. MDE DeviceFileEvents: new .service file in /etc/systemd/system/ with InitiatingProcessCommandLine containing 'cp /tmp/df00tech-kworker.service'. SPL SuspiciousServiceName=1 fires on 'pool.example.com:4444' pattern and /tmp/ path reference in ExecStart.
- Test 3Reverse Shell Service Unit with /dev/shm Payload Path
Expected signal: Auditd PATH: write to /etc/systemd/system/netconfig.service. Auditd EXECVE: systemctl daemon-reload, systemctl enable netconfig.service. Syslog: 'Created symlink...netconfig.service'. MDE DeviceFileEvents: new service file in /etc/systemd/system/ with /dev/shm pattern detectable if file content is captured.
- Test 4Web Process Spawning Systemctl (Web Shell Simulation)
Expected signal: Auditd EXECVE: systemctl daemon-reload with uid=33 (www-data on Debian/Ubuntu) or current test UID. Auditd SYSCALL: uid/auid fields identifying the web process account. MDE DeviceProcessEvents: systemctl with AccountName=www-data, InitiatingProcessFileName=bash, InitiatingProcessParentFileName may show sudo. Syslog: service enable/start events. The key telemetry is systemctl running under a web service account UID.
References (10)
- https://attack.mitre.org/techniques/T1569/003/
- https://www.redhat.com/en/blog/linux-systemctl-manage-services
- https://blog.talosintelligence.com/teamtnt-with-new-campaign-against/
- https://www.freedesktop.org/software/systemd/man/systemd.service.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
- https://attack.mitre.org/groups/G0139/
- https://www.crowdstrike.com/blog/carbon-spider-morphs-to-target-esxi-servers/
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Unlock Pro Content
Get the full detection package for T1569.003 including response playbook, investigation guide, and atomic red team tests.