T1543.002
Create or Modify System Process: Systemd Service
Description from ATT&CK
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands:
- ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
- ExecReload directive covers when a service restarts.
- ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)
While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Create Systemd Service
This test creates a Systemd service unit file and enables it as a service.
Supported Platforms: linux
auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system |
| systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service |
| execstoppost_action | ExecStopPost action for Systemd service | String | /bin/touch /tmp/art-systemd-execstoppost-marker |
| execreload_action | ExecReload action for Systemd service | String | /bin/touch /tmp/art-systemd-execreload-marker |
| execstart_action | ExecStart action for Systemd service | String | /bin/touch /tmp/art-systemd-execstart-marker |
| execstop_action | ExecStop action for Systemd service | String | /bin/touch /tmp/art-systemd-execstop-marker |
| execstartpre_action | ExecStartPre action for Systemd service | String | /bin/touch /tmp/art-systemd-execstartpre-marker |
| execstartpost_action | ExecStartPost action for Systemd service | String | /bin/touch /tmp/art-systemd-execstartpost-marker |
Attack Commands: Run with bash!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
Cleanup Commands:
1
2
3
4
5
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload