EXPLORE

← Back to Explore

T1543.002

Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Syst...

Linux

12

Detections

2

Sources

3

Threat Actors

BY SOURCE

10elastic2sigma

PROCEDURES (10)

Startup2 detections

Auto-extracted: 2 detections for startup

Persist2 detections

Auto-extracted: 2 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (3)

Rocke Scattered Spider TeamTNT

DETECTIONS (12)

Modification of Persistence Relevant Files Detected via Defend for Containers

Potential Persistence via File Modification

Potential Suspicious File Edit

Service Reload or Start - Linux

Suspicious Mining Process Creation Event

Suspicious Network Connection via systemd

Systemd Generator Created

Systemd Service Created

Systemd Service Creation

Systemd Service Started by Unusual Parent Process

Systemd Shell Execution During Boot

Unusual Process For a Linux Host