Try it using Invoke-Atomic

Create or Modify System Process: Systemd Service

Description from ATT&CK

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Systemd utilizes unit configuration files with the 

1

.service
file extension to encode information about a service's process. By default, system level unit files are stored in the 
1

/systemd/system
directory of the root owned directories (
1

/
). User level unit files are stored in the 
1

/systemd/user
directories of the user owned directories (
1

$HOME
). (Citation: lambert systemd 2022)

Service unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service)

  • 1

    ExecStart
    , 
    1

    ExecStartPre
    , and 
    1

    ExecStartPost
    directives cover execution of commands when a service is started manually by 
    1

    systemctl
    , or on system start if the service is set to automatically start.
  • 1

    ExecReload
    directive covers when a service restarts.
  • 1

    ExecStop
    , 
    1

    ExecStopPre
    , and 
    1

    ExecStopPost
    directives cover when a service is stopped.

Adversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.

The 

1

.service
file’s 
1

User
directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016)

Atomic Tests

Atomic Test #1 - Create Systemd Service

This test creates a Systemd service unit file and enables it as a service.

Supported Platforms: linux

auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c

Inputs:

Name Description Type Default Value
systemd_service_path Path to systemd service unit file path /etc/systemd/system
systemd_service_file File name of systemd service unit file string art-systemd-service.service
execstoppost_action ExecStopPost action for Systemd service string /bin/touch /tmp/art-systemd-execstoppost-marker
execreload_action ExecReload action for Systemd service string /bin/touch /tmp/art-systemd-execreload-marker
execstart_action ExecStart action for Systemd service string /bin/touch /tmp/art-systemd-execstart-marker
execstop_action ExecStop action for Systemd service string /bin/touch /tmp/art-systemd-execstop-marker
execstartpre_action ExecStartPre action for Systemd service string /bin/touch /tmp/art-systemd-execstartpre-marker
execstartpost_action ExecStartPost action for Systemd service string /bin/touch /tmp/art-systemd-execstartpost-marker

Attack Commands: Run with bash!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}

Cleanup Commands:

1
2
3
4
5

systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload

Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service.

This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.

Supported Platforms: linux

auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

cat > /etc/init.d/T1543.002 << EOF
#!/bin/bash
### BEGIN INIT INFO
# Provides : Atomic Test T1543.002
# Required-Start: $all
# Required-Stop : 
# Default-Start: 2 3 4 5
# Default-Stop: 
# Short Description: Atomic Test for Systemd Service Creation
### END INIT INFO
python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
EOF

chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
systemctl enable T1543.002
systemctl start T1543.002

echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002

Cleanup Commands:

1
2
3
4
5

systemctl stop T1543.002
systemctl disable T1543.002
rm -rf /etc/init.d/T1543.002
systemctl daemon-reload

Dependencies: Run with bash!

Description: System must be Ubuntu ,Kali OR CentOS.

Check Prereq Commands:

1
2

if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;

Get Prereq Commands:

1
2

echo Please run from Ubuntu ,Kali OR CentOS.

source