Systemd Service

Systemd Service [T1543.002]

Information

Name: Systemd Service
ID: T1543.002
Tactics: ,
Technique:

Introduction

Systemd Service (T1543.002) is a sub-technique of the MITRE ATT&CK framework under the broader persistence technique "Create or Modify System Process." Attackers leverage systemd, a widely used Linux initialization system, to create or modify service unit files. By doing this, adversaries ensure their malicious payloads or commands execute automatically upon system boot or at specific intervals, thus maintaining persistence on compromised Linux systems.

Deep Dive Into Technique

Systemd is a system and service manager for Linux operating systems, responsible for managing system initialization, service management, and event handling. Attackers exploit systemd to persistently execute malicious binaries, scripts, or commands by manipulating or creating new unit files.

Technical execution methods include:

Creation of Malicious Unit Files:
- Attackers create new .service files in directories such as:
  - /etc/systemd/system/
  - /usr/lib/systemd/system/
  - /run/systemd/system/
- Malicious files typically specify commands or scripts to run upon system startup or at scheduled intervals.
Modification of Existing Legitimate Unit Files:
- Attackers edit existing unit files to include additional malicious commands or binaries.
- Commonly modified services include critical system processes or widely used software to blend malicious activity with legitimate operations.
Utilizing Systemctl Commands:
- Attackers invoke systemctl commands to enable or start malicious services:
  - systemctl enable malicious.service
  - systemctl start malicious.service
  - systemctl daemon-reload to reload systemd configurations after modification.
Timer Units for Scheduled Execution:
- Attackers may create corresponding .timer files to execute malicious services at scheduled intervals, similar to cron jobs.

Real-world procedures often involve:

Embedding malicious payloads within seemingly legitimate service configurations.
Using obfuscated or encoded scripts to evade detection.
Employing privilege escalation exploits to gain the necessary permissions for creating or modifying service files.

When this Technique is Usually Used

Attackers typically employ systemd service persistence in various attack scenarios and stages, including:

Post-Exploitation Persistence:
- Immediately after initial compromise, attackers set up persistent systemd services to ensure continued access even after system reboots or disruptions.
Long-term Surveillance and Espionage Campaigns:
- Advanced Persistent Threat (APT) groups utilize systemd persistence to maintain long-term footholds in targeted systems for continuous data exfiltration or espionage.
Privilege Escalation Scenarios:
- After successfully escalating privileges, attackers leverage elevated permissions to establish persistent systemd services, ensuring continued privileged access.
Supply Chain Attacks:
- Attackers embed malicious systemd service files within compromised software packages or updates, ensuring automatic execution upon installation or update.
Cryptomining and Botnet Operations:
- Malicious actors frequently leverage systemd services to ensure continuous execution of resource-intensive cryptomining software or botnet agents.

How this Technique is Usually Detected

Detection methods for malicious systemd services include:

File Integrity Monitoring (FIM):
- Implementing tools like AIDE, OSSEC, or Tripwire to detect unauthorized changes or additions to systemd unit file directories:
  - /etc/systemd/system/
  - /usr/lib/systemd/system/
  - /run/systemd/system/
Audit Logs and Systemd Journal Analysis:
- Monitoring system logs (journalctl) and audit logs (auditd) for suspicious systemctl commands, unusual service startups, or unauthorized modifications.
Behavioral Monitoring and Anomaly Detection:
- Detecting unexpected or abnormal execution behavior, such as unknown processes running at boot or unusual resource consumption patterns.
Endpoint Detection and Response (EDR) Solutions:
- Utilizing advanced EDR tools capable of identifying suspicious service creations, modifications, and executions through behavioral analysis and real-time monitoring.
Manual Inspection and Baseline Comparisons:
- Regularly comparing current systemd service files against known-good baselines to identify unauthorized or suspicious changes.

Indicators of Compromise (IoCs) include:

Unexpected or unknown .service or .timer files appearing in systemd directories.
Suspicious commands or scripts referenced in unit files.
Unusual systemctl commands executed in logs (e.g., repeated systemctl daemon-reload).
Unexpected processes or binaries executing at boot time.

Why it is Important to Detect This Technique

Early detection of malicious systemd services is critical due to the following impacts:

Persistent Access:
- Attackers leverage systemd services to maintain long-term persistence, allowing continuous unauthorized access, even after system reboots or remediation attempts.
Privilege Escalation and Lateral Movement:
- Malicious services can facilitate further escalation of privileges and lateral movement within the network, significantly increasing the scope and severity of a compromise.
Data Exfiltration and Espionage:
- Persistent malicious services often enable continuous data collection and exfiltration, leading to severe data breaches, intellectual property theft, or privacy violations.
Resource Abuse and System Stability Issues:
- Unauthorized services may consume excessive system resources (CPU, memory, bandwidth), impacting system performance, stability, and availability.
Difficulty of Remediation:
- Persistent services embedded within system startup processes can be challenging to detect and remediate, prolonging attacker presence and complicating incident response efforts.

Early detection and rapid remediation help minimize these impacts by limiting attacker dwell time, reducing data loss, and preventing further compromise.

Examples

Real-world examples of malicious systemd service usage include:

Rocke Group Cryptomining Campaign:
- Attackers installed cryptomining malware using malicious systemd services to ensure persistent execution on compromised Linux servers.
- Malicious .service files executed scripts downloading and running Monero mining software, significantly impacting system performance and resource availability.
HiddenWasp Malware:
- Linux malware that established persistence via systemd services, executing malicious binaries at startup.
- Enabled attackers to maintain stealthy, persistent access for espionage and lateral movement.
Skidmap Linux Malware:
- Malware that leveraged systemd service files to persistently execute cryptomining payloads and rootkits.
- Modified legitimate system binaries and services to evade detection and maintain long-term presence.
APT29 (Cozy Bear) Linux Persistence:
- Advanced persistent threat group known to use systemd service files to ensure persistent backdoor access, espionage, and data exfiltration on compromised Linux infrastructure.

In these scenarios, attackers utilized systemd services to maintain stealth, persistence, and continuous malicious activities, highlighting the critical importance of monitoring and detecting this sub-technique.

Last updated 1 month ago