title: Systemd Service (T1543.002)
id: df00tech-t1543-002
status: experimental
description: "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is the default initialization system on many Linux distributions. Adversaries create new .service unit files or modify existing ones, placing them in /etc/systemd/system/, /lib/systemd/system/, or user-level ~/.config/systemd/user/ directories. The ExecStart, ExecStartPre, ExecReload, and ExecStop directives within service files execute commands when services start, reload, or stop. Threat actors including TeamTNT, Rocke, and Scattered Spider have leveraged systemd services for persistence and privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1543/002/
  - https://df00tech.com/detections/T1543.002
author: df00tech
date: 2026/03/12
tags:
  - attack.t1543.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units"
  - System administrators manually creating or modifying service files for legitimate infrastructure automation
  - "Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations"
  - Docker or container runtime installations that register systemd services
  - Development environments where developers create test services locally
level: high