Esc

Systemd Service - T1543.002

(ATT&CK® Technique)

Definition

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1543002["Systemd Service"] --> |may-create| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1543002 OffensiveTechniqueNode;
        class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
        click T1543002 href "/offensive-technique/attack/T1543.002/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; T1543002["Systemd Service"] --> |may-modify| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1543002 OffensiveTechniqueNode;
        class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
        click T1543002 href "/offensive-technique/attack/T1543.002/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";                          DecoyFile["Decoy File"] -->
          | spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1543002["Systemd Service"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1543002["Systemd Service"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                            FileEviction["File Eviction"] -->
          | deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1543002["Systemd Service"] ;
          class FileEviction DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                            LocalFilePermissions["Local File Permissions"] -->
          | restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1543002["Systemd Service"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                            FileEncryption["File Encryption"] -->
          | encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1543002["Systemd Service"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                            SystemFileAnalysis["System File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          SystemFileAnalysis["System File Analysis"] -.->
            | may-detect | T1543002["Systemd Service"] ;
          class SystemFileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis";                            RestoreFile["Restore File"] -->
          | restores | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1543002["Systemd Service"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                            RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1543002["Systemd Service"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                            FileAnalysis["File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1543002["Systemd Service"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json