T1569.003SubTechniqueexecution

T1569.003Systemctl

Sub-technique of T1569

Platforms: Linux

ATT&CK version: v19.1

What it is

Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications. Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)

ATT&CK tactics· 1

Execution

References

  1. https://attack.mitre.org/techniques/T1569/003
  2. https://www.redhat.com/en/blog/linux-systemctl-manage-services
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.