title: Systemctl (T1569.003)
id: df00tech-t1569-003
status: experimental
description: "Adversaries may abuse systemctl to execute commands or programs as systemd services on Linux systems. Systemctl is the primary interface for systemd, the Linux init system and service manager. By crafting malicious service unit files and using systemctl start, enable, and daemon-reload, adversaries can execute arbitrary code immediately and establish persistent execution across reboots. Real-world abuse patterns include TeamTNT deploying cryptocurrency mining services, threat actors writing reverse shell service units pointing to payloads in /dev/shm or /tmp, and web shell compromise chains where an attacker-controlled web process creates a privileged service for lateral movement or persistence. Common subcommands used in attacks include: systemctl start, systemctl enable, systemctl daemon-reload, and systemctl link."
references:
  - https://attack.mitre.org/techniques/T1569/003/
  - https://df00tech.com/detections/T1569.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1569.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators manually creating or enabling services via SSH sessions — parent process will be bash/sh spawned from sshd, not a web process, but may still trigger Branch 3"
  - "Configuration management tools (Ansible, Chef, Puppet, SaltStack) that connect over SSH and run systemctl to manage services — typically run as root with known service names"
  - "Software installation scripts (npm postinstall, Python setup.py, Go install) that register services as part of legitimate package installation"
  - "CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) that build and deploy software including service registration steps"
  - Container build processes that pre-populate systemd units inside container images as part of Docker RUN steps
level: high