T1569.003
System Services: Systemctl
Description from ATT&CK
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include:
systemctl start,systemctl stop,systemctl enable,systemctl disable, andsystemctl status.(Citation: Red Hat Systemctl 2022)
Atomic Tests
- Atomic Test #1: Create and Enable a Malicious systemd Service Unit
- Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)
- Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)
- Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command
- Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)
- Atomic Test #6: Enumerate All systemd Services Using systemctl
- Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart
- Atomic Test #8: Masquerade Malicious Service as Legitimate System Service
Atomic Test #1: Create and Enable a Malicious systemd Service Unit
Creates a new systemd service unit file in /etc/systemd/system/ and enables it using systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow to establish persistence or execute arbitrary commands under the context of systemd.
This simulates the full attacker workflow: writing the unit file, reloading the systemd daemon, enabling the service to survive reboots, and starting it immediately. This is consistent with techniques observed in ransomware precursor activity and post-exploitation frameworks targeting Linux infrastructure.
Supported Platforms: Linux
auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_name | Name of the malicious service to create | string | atomic-test |
| command_to_run | Command the service will execute | string | /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.serviceCleanup Commands
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_service_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Description: /etc/systemd/system/ directory must exist and be writable
Check Prereq Commands
if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/etc/systemd/system/ does not exist or is not writable. Ensure systemd is installed."Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)
Creates a systemd service unit file in /tmp and loads it using systemctl start with an absolute path. Adversaries may write service unit files to world-writable directories such as /tmp to avoid triggering alerts on new file creation in standard service directories, or to execute payloads transiently without permanently installing a service.
Loading a service unit from an arbitrary path rather than a standard systemd directory is unusual behaviour that should be detectable by monitoring systemctl command arguments.
Supported Platforms: Linux
auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_path | Full path to the service file to be written in /tmp | path | /tmp/atomic_tmp.service |
| command_to_run | Command the service will execute | string | /bin/bash -c "id > /tmp/atomic_tmp_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > #{service_path}
echo "Description=Atomic Tmp Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})Cleanup Commands
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_tmp_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: /tmp must exist and be writable
Check Prereq Commands
if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/tmp does not exist or is not writable on this system."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)
Creates a systemd service unit file in /dev/shm and loads it using systemctl. /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems and does not persist across reboots, making it particularly attractive to adversaries seeking to execute transient payloads while evading file-based forensic detection.
This technique has been observed in post-exploitation scenarios where attackers deliberately avoid writing to disk-backed locations to limit forensic artefacts.
Supported Platforms: Linux
auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_path | Full path to the service file to be written in /dev/shm | path | /dev/shm/atomic_shm.service |
| command_to_run | Command the service will execute | string | /bin/bash -c "whoami > /tmp/atomic_shm_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > #{service_path}
echo "Description=Atomic SHM Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})Cleanup Commands
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_shm_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: /dev/shm must exist and be writable
Check Prereq Commands
if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/dev/shm does not exist or is not writable on this system."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command
Creates a service unit file that initially runs a benign command, then modifies the ExecStart directive using sed to substitute a malicious command before reloading and restarting the service. Adversaries may hijack existing services to blend in with normal service activity and avoid triggering detections focused solely on new service creation.
This technique reflects the tradecraft observed in more sophisticated intrusions where blending into existing process trees is a priority over creating net-new services.
Supported Platforms: Linux
auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_name | Name of the service to create and then modify for the test | string | atomic-modify-test |
| malicious_command | Malicious command to substitute into ExecStart | string | /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl start #{service_name}.service
systemctl status #{service_name}.serviceCleanup Commands
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_hijack_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: sed must be available on the system
Check Prereq Commands
if [ -x "$(command -v sed)" ]; then exit 0; else exit 1; fiGet Prereq Commands
apt-get install -y sed 2>/dev/null || yum install -y sed 2>/dev/null || echo "Could not install sed automatically."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Description: /etc/systemd/system/ directory must exist and be writable
Check Prereq Commands
if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/etc/systemd/system/ does not exist or is not writable."Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)
Uses systemd-run to execute a command as a transient systemd service without creating a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary commands under the context of systemd while bypassing controls that monitor for new unit file creation, since transient services exist only in memory for their lifetime.
This is a particularly stealthy technique as it leaves minimal on-disk artefacts and the service disappears from systemctl list-units once execution completes.
Supported Platforms: Linux
auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| unit_name | Name of the transient systemd unit to create | string | atomic-transient |
| command_to_run | Command to execute as a transient service | string | /bin/bash -c "id > /tmp/atomic_transient_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
systemd-run --unit=#{unit_name} --wait #{command_to_run}
systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."Cleanup Commands
systemctl stop #{unit_name}.service 2>/dev/null || true
rm -f /tmp/atomic_transient_output.txtDependencies: Run with sh!
Description: systemd-run must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemd-run is not available. Ensure systemd is installed and up to date."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Atomic Test #6: Enumerate All systemd Services Using systemctl
Enumerates all systemd services and their current states using systemctl list-units and systemctl list-unit-files. Adversaries may enumerate running and enabled services to identify targets for hijacking, understand the host environment, map installed security tooling, or identify gaps in monitoring coverage.
Service enumeration is a common reconnaissance step during post-exploitation and may precede service hijacking or masquerading activity. This test does not require elevation as service listing is available to unprivileged users on most Linux systems.
Supported Platforms: Linux
auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
Attack Commands: Run with sh!
systemctl list-units --type=service --all
systemctl list-unit-files --type=serviceCleanup Commands
echo "No cleanup required"Dependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart
Creates a payload script and a systemd service unit that executes it, then enables the service to survive reboots using systemctl enable. The service is configured with Restart=always to automatically restart on failure, mimicking the persistence mechanism used by adversaries deploying backdoors or beacons on Linux hosts.
This technique is consistent with observed post-exploitation tradecraft where adversaries establish a foothold that survives reboots and self-heals after interruption, complicating incident response and remediation efforts.
Supported Platforms: Linux
auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_name | Name of the persistence service to create | string | atomic-persist |
| payload_path | Path to the payload script that the service will execute | path | /tmp/atomic_payload.sh |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.serviceCleanup Commands
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
systemctl daemon-reload
rm -f #{payload_path}
rm -f /tmp/atomic_persist_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Description: /etc/systemd/system/ directory must exist and be writable
Check Prereq Commands
if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/etc/systemd/system/ does not exist or is not writable."Description: Payload script must exist at the specified path
Check Prereq Commands
if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo '#!/bin/bash' > #{payload_path}
echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
chmod +x #{payload_path}Atomic Test #8: Masquerade Malicious Service as Legitimate System Service
Creates a systemd service with a name and description closely resembling a legitimate system service to blend in with normal service activity. Adversaries may deliberately choose service names similar to well-known system services such as systemd-networkd, cron, or ssh to evade detection from analysts reviewing service lists or automated alerting on service names.
This masquerading technique is particularly effective in environments where detection relies on service name allowlists or manual review of systemctl list-units output rather than behavioural analysis of service unit file contents and ExecStart paths.
Supported Platforms: Linux
auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| masquerade_name | Service name designed to closely mimic a legitimate system service | string | systemd-network-helper |
| command_to_run | Command the masquerading service will execute | string | /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt" |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
systemctl start #{masquerade_name}.service
systemctl status #{masquerade_name}.serviceCleanup Commands
systemctl stop #{masquerade_name}.service 2>/dev/null || true
systemctl disable #{masquerade_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_masquerade_output.txtDependencies: Run with sh!
Description: systemctl must be available on the system
Check Prereq Commands
if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "systemctl is not available. Ensure systemd is running on this system."Description: The test must be run as root or with sudo privileges
Check Prereq Commands
if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "This test requires root privileges. Run as root or use sudo."Description: /etc/systemd/system/ directory must exist and be writable
Check Prereq Commands
if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fiGet Prereq Commands
echo "/etc/systemd/system/ does not exist or is not writable."Description: Chosen masquerade service name must not already exist as a real service
Check Prereq Commands
if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service"; then exit 0; else exit 1; fiGet Prereq Commands
echo "A service named #{masquerade_name} already exists. Change the masquerade_name input argument to avoid conflicts."Atomic test(s) for this technique last updated: 2026-04-20 00:30:37 UTC