Systemd service modified

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1569-system-services

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications to system services.

Strategy

Especially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.

Triage and response

  1. Check to see what service was modified of created.
  2. Identify whether it is a known service, being modified by a known user and/or process.
  3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.

Requires Agent version 7.27 or greater