Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the
/usr/lib/systemd/system directories and have the file extension
.service. Each service unit file may contain numerous directives that can execute system commands:
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.
While adversaries typically require root privileges to create/modify service unit files in the
/usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as
~/.config/systemd/user/ to achieve user-level persistence.
|S0401||Exaramel for Linux|
|M1033||Limit Software Installation||
Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
|M1026||Privileged Account Management||
The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
|M1022||Restrict File and Directory Permissions||
Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
|M1018||User Account Management||
Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.
|ID||Data Source||Data Component|
Systemd service unit files may be detected by auditing file creation and modification events within the
/home/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.
Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services:
systemctl list-units -–type=service –all. Analyze the contents of
.service files present on the file system and ensure that they refer to legitimate, expected executables.
Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as
/usr/sbin/service may reveal malicious systemd service execution.