Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Служба systemd
Каталоги
MITRE ATT@CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Служба systemd
Куда я попал?
SECURITM это система для корпоративных служб информационной безопасности, которая автоматизирует ключевые процессы управления: контроль соответствия требованиям, управление рисками, учет активов, планирование работ, задачи, технические уязвимости, опросы и т.д.
SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом в рамках сообщества служб безопасности.
Подробнее
Наш канал

Create or Modify System Process:  Служба systemd

ID Название
.001 Агент запуска
.002 Служба systemd
.003 Служба Windows
.004 Демон запуска

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems. Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands: * ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. * ExecReload directive covers when a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'. Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019) While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)

ID: T1543.002
Относится к технике:  T1543
Тактика(-и): Persistence, Privilege Escalation
Платформы: Linux
Требуемые разрешения: root, User
Источники данных: Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Версия: 1.2
Дата создания: 17 Jan 2020
Последнее изменение: 09 Oct 2020

Примеры процедур
Название Описание
TeamTNT

TeamTNT has established persistence through the creation of a cryptocurrency mining system service using systemctl.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)
Pupy

Pupy can be used to establish persistence using a systemd service.(Citation: GitHub Pupy)
Fysbis

Fysbis has established persistence using a systemd service.(Citation: Fysbis Dr Web Analysis)
Exaramel for Linux

Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)
Rocke

Rocke has installed a systemd service script to maintain persistence.(Citation: Anomali Rocke March 2019)

Hildegard

Hildegard has started a monero service.(Citation: Unit 42 Hildegard Malware)

Контрмеры
Контрмера Описание
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Limit Software Installation

Block users or groups from installing unapproved software.

Обнаружение

Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.

Ссылки

  1. Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.
  2. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  3. Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019.
  4. Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.
  5. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  6. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  7. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  8. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  9. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  10. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  11. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
Навигация

Связанные риски

КЦД
STRIDE
Иное
Риск Угроза Уязвимость Тип актива Связи
Закрепление злоумышленника в ОС из-за создания или изменение системного процесса: служба Systemd в ОС Linux
Повышение привилегий НСД
Закрепление злоумышленника в ОС
Повышение привилегий НСД
Создание или изменение системного процесса: служба Systemd
ОС Linux
1
Повышение привилегий в ОС из-за создания или изменение системного процесса: служба Systemd в ОС Linux
Повышение привилегий Целостность
Повышение привилегий в ОС
Повышение привилегий Целостность
Создание или изменение системного процесса: служба Systemd
ОС Linux
1