TIARAS - T1569.003: Systemctl

MITRE ATT&CK Technique

Execution T1569.003

Description

Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications. Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)

Supported Platforms

Linux

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2025-03-18T13:44:12.618Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse systemctl to execute commands or '
                'programs. Systemctl is the primary interface for systemd, the '
                'Linux init system and service manager. Typically invoked from '
                'a shell, Systemctl can also be integrated into scripts or '
                'applications.   \n'
                '\n'
                'Adversaries may use systemctl to execute commands or programs '
                'as [Systemd '
                'Service](https://attack.mitre.org/techniques/T1543/002)s. '
                'Common subcommands include: `systemctl start`, `systemctl '
                'stop`, `systemctl enable`, `systemctl disable`, and '
                '`systemctl status`.(Citation: Red Hat Systemctl 2022)',
 'external_references': [{'external_id': 'T1569.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1569/003'},
                         {'description': 'Damon Garn. (2022, May 17). How to '
                                         'use systemctl to manage Linux '
                                         'services. Retrieved March 18, 2025.',
                          'source_name': 'Red Hat Systemctl 2022',
                          'url': 'https://www.redhat.com/en/blog/linux-systemctl-manage-services'}],
 'id': 'attack-pattern--4b46767d-4a61-4f30-995e-c19a75c2e536',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'}],
 'modified': '2025-04-15T19:58:28.694Z',
 'name': 'Systemctl',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux'],
 'x_mitre_remote_support': False,
 'x_mitre_version': '1.0'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (1)

TeamTNT
High

Back to TTPs

Dashboard About