Create or Modify System Process: Служба systemd
Other sub-techniques of Create or Modify System Process (5)
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service) * `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start. * `ExecReload` directive executes when a service restarts. * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped. Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
Примеры процедур |
|
| Название | Описание |
|---|---|
| TeamTNT |
TeamTNT has established persistence through the creation of a cryptocurrency mining system service using |
|
During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the `WantedBy=multi-user.target` configuration to run GOGETTER when the system begins accepting user logins.(Citation: Mandiant-Sandworm-Ukraine-2022) |
|
| Pupy |
Pupy can be used to establish persistence using a systemd service.(Citation: GitHub Pupy) |
| Fysbis |
Fysbis has established persistence using a systemd service.(Citation: Fysbis Dr Web Analysis) |
| RotaJakiro |
Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.service` file under the `/lib/systemd/system/` folder.(Citation: RotaJakiro 2021 netlab360 analysis) |
| SysUpdate |
SysUpdate can copy a script to the user owned `/usr/lib/systemd/system/` directory with a symlink mapped to a `root` owned directory, `/etc/ystem/system`, in the unit configuration file's `ExecStart` directive to establish persistence and elevate privileges.(Citation: Lunghi Iron Tiger Linux) |
| Exaramel for Linux |
Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021) |
| Rocke |
Rocke has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019) |
| Hildegard |
Hildegard has started a monero service.(Citation: Unit 42 Hildegard Malware) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
| Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| Limit Software Installation |
Block users or groups from installing unapproved software. |
Обнаружение
Monitor file creation and modification events of Systemd service unit configuration files in the default directory locations for `root` & `user` level permissions. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the `root` user.(Citation: lambert systemd 2022) Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -–type=service –all`. Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables, and symbolic links.(Citation: Berba hunting linux systemd) Auditing the execution and command-line arguments of the `systemctl` utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.
Ссылки
- Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.
- Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.
- Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.
- Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.
- Free Desktop. (n.d.). systemd.service — Service unit configuration. Retrieved March 20, 2023.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
- Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
- Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Связанные риски
| Риск | Связи | |
|---|---|---|
|
Закрепление злоумышленника в ОС
из-за
создания или изменение системного процесса: служба Systemd
в ОС Linux
Повышение привилегий
НСД
|
1
|
|
|
Повышение привилегий в ОС
из-за
создания или изменение системного процесса: служба Systemd
в ОС Linux
Повышение привилегий
Целостность
|
1
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.