Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the .service file extension to encode information about a service's process. By default, system level unit files are stored in the /systemd/system directory of the root owned directories (/). User level unit files are stored in the /systemd/user directories of the user owned directories ($HOME).(Citation: lambert systemd 2022)
Inside the .service unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)
ExecStart, ExecStartPre, and ExecStartPost directives execute when a service is started manually by systemctl or on system start if the service is set to automatically start.ExecReload directive executes when a service restarts.ExecStop, ExecStopPre, and ExecStopPost directives execute when a service is stopped.Adversaries have created new service files, altered the commands a .service file’s directive executes, and modified the user directive a .service file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
Systemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., Boot or Logon Initialization Scripts).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)
Detection of Systemd Service Creation or Modification on Linux
User Account Management: User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:
Enforcing the Principle of Least Privilege
Implementing Strong Password Policies
Managing Dormant and Orphaned Accounts
Account Lockout Policies
Multi-Factor Authentication (MFA) for High-Risk Accounts
Restricting Interactive Logins
Tools for Implementation
Built-in Tools:
Identity and Access Management (IAM) Tools:
Privileged Account Management (PAM):
Restrict File and Directory Permissions: Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.
On Linux, apply:
chmod 750 /etc/sensitive.conf
chown root:admin /etc/sensitive.conf
File Integrity Monitoring (FIM):
Audit File System Access:
Restrict Startup Directories:
C:\ProgramData\Microsoft\Windows\Start Menu.Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)Flsattr or auditd.Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:
Account Permissions and Roles:
Credential Security:
Multi-Factor Authentication (MFA):
Privileged Access Management (PAM):
Auditing and Monitoring:
Just-In-Time Access:
Tools for Implementation
Privileged Access Management (PAM):
Credential Management:
Multi-Factor Authentication:
Linux Privilege Management:
Just-In-Time Access:
Limit Software Installation: Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:
Application Whitelisting
Restrict User Permissions
Software Restriction Policies (SRP)
%AppData%, %Temp%, and external drives..exe, .bat, .msi, .js, .vbs) to trusted directories only.Endpoint Management Solutions
Monitor Software Installation Events
Implement Software Inventory Management
Tools for Implementation
Application Whitelisting:
Endpoint Management:
Software Restriction Policies:
Monitoring and Logging:
Inventory Management and Auditing: