MITRE ATT&CK Technique
Description
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. * `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) The `.service` file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. Systemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-17T16:15:19.870Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create or modify systemd services to '
'repeatedly execute malicious payloads as part of persistence. '
'Systemd is a system and service manager commonly used for '
'managing background daemon processes (also known as services) '
'and other system resources.(Citation: Linux man-pages: '
'systemd January 2014) Systemd is the default initialization '
'(init) system on many Linux distributions replacing legacy '
'init systems, including SysVinit and Upstart, while remaining '
'backwards compatible. \n'
'\n'
'Systemd utilizes unit configuration files with the `.service` '
"file extension to encode information about a service's "
'process. By default, system level unit files are stored in '
'the `/systemd/system` directory of the root owned directories '
'(`/`). User level unit files are stored in the '
'`/systemd/user` directories of the user owned directories '
'(`$HOME`).(Citation: lambert systemd 2022) \n'
'\n'
'Inside the `.service` unit files, the following directives '
'are used to execute commands:(Citation: freedesktop '
'systemd.service) \n'
'\n'
'* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives '
'execute when a service is started manually by `systemctl` or '
'on system start if the service is set to automatically '
'start.\n'
'* `ExecReload` directive executes when a service restarts. \n'
'* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives '
'execute when a service is stopped. \n'
'\n'
'Adversaries have created new service files, altered the '
'commands a `.service` file’s directive executes, and modified '
'the user directive a `.service` file executes as, which could '
'result in privilege escalation. Adversaries may also place '
'symbolic links in these directories, enabling systemd to find '
'these payloads regardless of where they reside on the '
'filesystem.(Citation: Anomali Rocke March 2019)(Citation: '
'airwalk backdoor unix systems)(Citation: Rapid7 Service '
'Persistence 22JUNE2016) \n'
'\n'
'The `.service` file’s User directive can be used to run '
'service as a specific user, which could result in privilege '
'escalation based on specific user/group permissions. \n'
'\n'
'Systemd services can be created via systemd generators, which '
'support the dynamic generation of unit files. Systemd '
'generators are small executables that run during boot or '
'configuration reloads to dynamically create or modify systemd '
'unit files by converting non-native configurations into '
'services, symlinks, or drop-ins (i.e., [Boot or Logon '
'Initialization '
'Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: '
'Elastic Security Labs Linux Persistence 2024)(Citation: Pepe '
'Berba Systemd 2022)',
'external_references': [{'external_id': 'T1543.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1543/002'},
{'description': 'airwalk. (2023, January 1). A guide '
'to backdooring Unix systems. '
'Retrieved May 31, 2023.',
'source_name': 'airwalk backdoor unix systems',
'url': 'http://www.ouah.org/backdoors.html'},
{'description': 'Anomali Labs. (2019, March 15). '
'Rocke Evolves Its Arsenal With a New '
'Malware Family Written in Golang. '
'Retrieved April 24, 2019.',
'source_name': 'Anomali Rocke March 2019',
'url': 'https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang'},
{'description': 'Free Desktop. (n.d.). '
'systemd.service — Service unit '
'configuration. Retrieved March 20, '
'2023.',
'source_name': 'freedesktop systemd.service',
'url': 'https://www.freedesktop.org/software/systemd/man/systemd.service.html'},
{'description': 'Linux man-pages. (2014, January). '
'systemd(1) - Linux manual page. '
'Retrieved April 23, 2019.',
'source_name': 'Linux man-pages: systemd January '
'2014',
'url': 'http://man7.org/linux/man-pages/man1/systemd.1.html'},
{'description': 'Pepe Berba. (2022, February 7). '
'Hunting for Persistence in Linux '
'(Part 5): Systemd Generators. '
'Retrieved April 8, 2025.',
'source_name': 'Pepe Berba Systemd 2022',
'url': 'https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/'},
{'description': 'Pepe Berba. (2022, January 30). '
'Hunting for Persistence in Linux '
'(Part 3): Systemd, Timers, and Cron. '
'Retrieved March 20, 2023.',
'source_name': 'Berba hunting linux systemd',
'url': 'https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/'},
{'description': 'Rapid7. (2016, June 22). Service '
'Persistence. Retrieved April 23, '
'2019.',
'source_name': 'Rapid7 Service Persistence '
'22JUNE2016',
'url': 'https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence'},
{'description': 'Ruben Groenewoud. (2024, August 20). '
'Linux Detection Engineering - A '
'primer on persistence mechanisms. '
'Retrieved March 18, 2025.',
'source_name': 'Elastic Security Labs Linux '
'Persistence 2024',
'url': 'https://www.elastic.co/security-labs/primer-on-persistence-mechanisms'},
{'description': 'Tony Lambert. (2022, November 13). '
'ATT&CK T1501: Understanding systemd '
'service persistence. Retrieved March '
'20, 2023.',
'source_name': 'lambert systemd 2022',
'url': 'https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/'}],
'id': 'attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:29.942Z',
'name': 'Systemd Service',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tony Lambert, Red Canary',
'Emad Al-Mousa, Saudi Aramco',
'Tim (Wadhwa-)Brown',
'Ruben Groenewoud (@RFGroenewoud)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux'],
'x_mitre_version': '1.6'}