Overview

Systemd services are the standard mechanism for managing long-running processes in most modern Linux distributions. Because services start automatically with the system, adversaries often abuse them to gain persistent access for targeting systems. A stealthy backdoor service may masquerade itself as a legitimate system component and launch attacker-controlled payloads at boot. This enables hackers with the opportunity to re-enter your environment if something does not go according to plan for them (aka: a plan B).

At DataYard, we believe it’s important to understand the methods an attacker might use to gain access to your system, so that we know what to look out for and be better prepared to defend against it. This article will discuss common techniques hackers may use to maintain access to compromised systems. These are things you should watch out for!

Tradecraft

Adversaries may:

• Create a new service that executes their payload on startup.
• Name the service innocuously, e.g. systemd-update.service, to blend in with legitimate services.
  • I like to find common running services that appear to be… “Linux nonsense” (for lack of a better term).
  • Try for things that are easy for administrators to gloss over when trying to find what they are actually looking for in their day-to-day work.
  • Tip: name your service something very similar, but with a slight adjustment to a few characters. Most admins will gloss right over your service, and assume that it is simply some built in Linux component.

• Install in common locations, like /etc/systemd/system/, to ensure persistence across reboots.

As you move laterally within your target environment, it is wise to add entropy wherever you can, to help ensure your chances of regaining access if any of your implants are found and burned.

Examples of this include:

• Give each backdoor a unique name.
• Add randomness in the form of callback jitters, and utilize short haul versus long haul command and control beaconing techniques to keep communications quiet.
• Use unique, malleable C2 profiles — even better if they’re tailored to the victim environment in question!
• Don’t put all of your eggs in one basket!

In the Wild:

Masquerading malware as a systemd service is hardly a new technique, yet is still employed in the wild today on a regular basis.

In recent times, the 2022 Sandworm attack on Ukraine’s critical power infrastructure utilized systemd services to ensure persistent access capabilities.

“When deploying GOGETTER (Tunneling program to Proxy C2 communications), Mandiant observed Sandworm leverage Systemd service units designed to masquerade as legitimate or seemingly legitimate services” (Mandiant 2025).

While this technical example may seem insignificant on the surface, establishing persistent access is a crucial step for Hackers to ensure they will achieve their actions on objectives. In this case: causing a power outage moments before delivering an airstrike to the affected area.

Intimately understanding the inner workings of each step in the kill chain can help us proactively consider, monitor, test, and defend these areas of interest against malign actors.

Technical Example:

First, create a basic systemd service configuration. We want to set WantedBy equal to multi-user.target.

• This ensures the service starts after the machine powers on, specifically once the system allows user logins.

# File name: /etc/systemd/system/{implant}.service
[Unit]
Description=System Update Service
After=network.target

[Service]
ExecStart=/usr/local/bin/{your_implant_name}.sh
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

Let systemd know about the newly created unit file:

sudo systemctl daemon-reload

Enable the service, so that is starts on every boot:

sudo systemctl enable {implant}.service

Start the service:

sudo systemctl start {implant}.service

Disclaimer: This article discusses common techniques hackers may use to maintain access to compromised systems. These are things you should watch out for!

MITRE ATT&CK Techniques:

• T1543.002 – Create or Modify System Process: Systemd Serviceman systemd.service
• T1036 — Masquerading

Other References

• Mandiant. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Google. https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/