MITRE ATT&CK Technique
Description
Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands. * ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. * ExecReload directive covers when a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-04-23T15:34:30.008Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Systemd services can be used to establish persistence on a '
'Linux system. The systemd service manager is commonly used '
'for managing background daemon processes (also known as '
'services) and other system resources.(Citation: Linux '
'man-pages: systemd January 2014)(Citation: Freedesktop.org '
'Linux systemd 29SEP2018) Systemd is the default '
'initialization (init) system on many Linux distributions '
'starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, '
'Fedora 15, and replaces legacy init systems including '
'SysVinit and Upstart while remaining backwards compatible '
'with the aforementioned init systems.\n'
'\n'
'Systemd utilizes configuration files known as service units '
'to control how services boot and under what conditions. By '
'default, these unit files are stored in the '
'<code>/etc/systemd/system</code> and '
'<code>/usr/lib/systemd/system</code> directories and have the '
'file extension <code>.service</code>. Each service unit file '
'may contain numerous directives that can execute system '
'commands. \n'
'\n'
'* ExecStart, ExecStartPre, and ExecStartPost directives cover '
'execution of commands when a services is started manually by '
"'systemctl' or on system start if the service is set to "
'automatically start. \n'
'* ExecReload directive covers when a service restarts. \n'
'* ExecStop and ExecStopPost directives cover when a service '
"is stopped or manually by 'systemctl'.\n"
'\n'
'Adversaries have used systemd functionality to establish '
'persistent access to victim systems by creating and/or '
'modifying service unit files that cause systemd to execute '
'malicious commands at recurring intervals, such as at system '
'boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch '
'package compromise 10JUL2018)(Citation: Arch Linux Package '
'Systemd Compromise BleepingComputer 10JUL2018)(Citation: '
'acroread package compromised Arch Linux Mail 8JUL2018)\n'
'\n'
'While adversaries typically require root privileges to '
'create/modify service unit files in the '
'<code>/etc/systemd/system</code> and '
'<code>/usr/lib/systemd/system</code> directories, low '
'privilege users can create/modify service unit files in '
'directories such as <code>~/.config/systemd/user/</code> to '
'achieve user-level persistence.(Citation: Rapid7 Service '
'Persistence 22JUNE2016)',
'external_references': [{'external_id': 'T1501',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1501'},
{'description': 'Linux man-pages. (2014, January). '
'systemd(1) - Linux manual page. '
'Retrieved April 23, 2019.',
'source_name': 'Linux man-pages: systemd January '
'2014',
'url': 'http://man7.org/linux/man-pages/man1/systemd.1.html'},
{'description': 'Freedesktop.org. (2018, September '
'29). systemd System and Service '
'Manager. Retrieved April 23, 2019.',
'source_name': 'Freedesktop.org Linux systemd '
'29SEP2018',
'url': 'https://www.freedesktop.org/wiki/Software/systemd/'},
{'description': 'Anomali Labs. (2019, March 15). '
'Rocke Evolves Its Arsenal With a New '
'Malware Family Written in Golang. '
'Retrieved April 24, 2019.',
'source_name': 'Anomali Rocke March 2019',
'url': 'https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang'},
{'description': 'Catalin Cimpanu. (2018, July 10). ~x '
'file downloaded in public Arch '
'package compromise. Retrieved April '
'23, 2019.',
'source_name': 'gist Arch package compromise '
'10JUL2018',
'url': 'https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a'},
{'description': 'Catalin Cimpanu. (2018, July 10). '
'Malware Found in Arch Linux AUR '
'Package Repository. Retrieved April '
'23, 2019.',
'source_name': 'Arch Linux Package Systemd '
'Compromise BleepingComputer '
'10JUL2018',
'url': 'https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/'},
{'description': 'Eli Schwartz. (2018, June 8). '
'acroread package compromised. '
'Retrieved April 23, 2019.',
'source_name': 'acroread package compromised Arch '
'Linux Mail 8JUL2018',
'url': 'https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html'},
{'description': 'Rapid7. (2016, June 22). Service '
'Persistence. Retrieved April 23, '
'2019.',
'source_name': 'Rapid7 Service Persistence '
'22JUNE2016',
'url': 'https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence'}],
'id': 'attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:24.512Z',
'name': 'Systemd Service',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tony Lambert, Red Canary'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux'],
'x_mitre_version': '1.1'}