MITRE ATT&CK / T1501
T1501
Systemd Service
Description
Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands.* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. * ExecReload directive covers when a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause s…
Platforms
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- xlabs_v1 Mirai Botnet Exploits ADB to Build IoT DDoS-for-Hire Network
- PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential Types at Scale
- Bleeding Llama: CVE-2026-5757 Exposes 300,000 Ollama AI Servers, No Patch Available
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →