Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0200: Analytic 0200

Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows.

EnterpriseAN0200AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because misuse of systemctl can turn normal Linux service management into a way to run commands or persist through systemd services. For leaders, the decision point is whether Linux administrative activity is visible enough to distinguish expected service operations from suspicious service creation, modification, or loading from unusual paths such as /tmp or /dev/shm.

Executive priority

Prioritize this where Linux systems support critical applications, identity infrastructure, cloud workloads, or regulated environments. The business risk is not the systemctl tool itself, but lack of evidence around who changed services, where unit files came from, and whether those changes matched approved administrative workflows. This is a practical control-validation item for SOC readiness, incident response scoping, and audit evidence around privileged administration on Linux.

Technical view

Validate monitoring for Linux systemd activity involving systemctl subcommands such as start, enable, and status, especially when correlated with new or modified service unit files. Review whether detections can identify service units created outside expected administrative workflows and whether service definitions or loaded units reference unusual locations such as /tmp or /dev/shm. Because ATT&CK provides no tactic mapping and no detailed detection logic for this analytic, local baselining of legitimate administrator and automation behavior is required.

Likely telemetry

  • Linux process execution telemetry showing systemctl invocation and command-line arguments
  • Service creation or modification records for systemd unit files
  • File creation and modification telemetry for systemd service paths and unusual locations such as /tmp and /dev/shm
  • Privilege or user context associated with service management activity
  • Change-management, administrator, or automation records to compare against expected workflows

Detection direction

  • Correlate systemctl execution with recent creation or modification of systemd service unit files.
  • Prioritize events where systemctl loads, starts, enables, or checks services tied to unusual locations such as /tmp or /dev/shm.
  • Tune against known package managers, configuration management tools, deployment automation, and approved administrator workflows to reduce false positives.
  • Validate that telemetry captures command-line arguments and file paths; without both, this analytic may only show generic systemctl use.
  • Use this analytic as behavior-based context rather than a standalone verdict, since the supplied ATT&CK object does not provide full detection logic or relationship context.

Mitigation priorities

  • Establish approved workflows for Linux service creation and modification, including change records for privileged administrative activity.
  • Restrict service management privileges to authorized administrators and automation accounts.
  • Monitor and review systemd unit files created or modified outside expected service directories or operational processes.
  • Harden temporary and shared-memory locations where feasible and investigate service definitions that reference those paths.
  • Ensure incident response playbooks include collection of systemctl history, unit file contents, file timestamps, and responsible user or automation context.
Analyst notes and limits

This is an ATT&CK detection analytic for Linux focused on abuse of systemctl and systemd service management. The most useful defensive value comes from correlating process execution with service-unit file changes and approved administrative context. It is especially relevant for managed detection, IR triage, Linux administration assurance, and compliance evidence around privileged change control.

The supplied object has no official detection text beyond the description, no ATT&CK tactic mapping, and no relationship context. It does not support claims about active exploitation, adversary attribution, impact, or coverage for non-Linux platforms. Local environment baselines are required to separate legitimate service management from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0200

Abuse of systemctl to execute commands or manage systemd services. Defender perspective: correlate suspicious service creation or modification with execution of systemctl subcommands such as start, enable, or status. Detect cases where systemctl is used to load services from unusual locations (e.g., /tmp, /dev/shm) or where new service units are created outside of expected administrative workflows.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
47d98182dabd5feb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 47d98182dabd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0200
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use