AN1326: Analytic 1326
Execution of service management commands like `systemctl list-units`, `service --status-all`, or direct reading of `/etc/init.d`.
Analyst context for executives and security teams
This analytic is about visibility into Linux service-management discovery: commands such as `systemctl list-units`, `service --status-all`, or reading `/etc/init.d`. For leaders, the value is not that these commands are inherently malicious; administrators and automation use them often. The business relevance is whether the SOC can distinguish normal operational inventory activity from unusual service enumeration during an investigation, especially on Linux systems that support critical applications.
Executive priority
Prioritize this as a Linux visibility and investigation-readiness check rather than a standalone high-severity alert. Ask whether critical Linux servers produce command execution, process, shell, and file-access evidence that can support incident response. This analytic can help validate managed detection coverage, auditability of privileged activity, and operational resilience for environments where Linux services underpin business applications.
Technical view
Validate whether Linux telemetry can capture execution of service-management commands and direct access to service initialization paths. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, treat it as a behavioral signal that requires local baselining. SOC teams should compare activity by user, host role, parent process, privilege context, and timing against expected administrative workflows, configuration management jobs, monitoring agents, and maintenance windows.
Likely telemetry
- Linux process execution telemetry showing command line, executable path, parent process, user, host, and timestamp
- Shell history or terminal/session logging where available and appropriate
- File access telemetry for reads or listings involving `/etc/init.d`
- Authentication and privilege context, including sudo or elevated session evidence
- Asset context identifying Linux host role, criticality, and normal administration patterns
Detection direction
- Do not alert solely on `systemctl list-units`, `service --status-all`, or `/etc/init.d` access without context; these are common administrative behaviors.
- Baseline expected service-management activity from administrators, automation, monitoring, and configuration management tooling.
- Increase scrutiny when service enumeration appears from unusual users, unusual parent processes, unexpected remote sessions, non-administrative accounts, or on high-value Linux servers outside maintenance windows.
- Correlate with nearby authentication, privilege escalation, command execution, and file access events to determine whether the behavior is part of legitimate administration or suspicious discovery.
- Document blind spots where endpoint telemetry does not capture command line, parent process, shell activity, or file access to `/etc/init.d`.
Mitigation priorities
- Ensure critical Linux systems have sufficient process execution and file access logging to support investigation.
- Define approved administrative and automation sources for service-management activity.
- Restrict privileged access to Linux service administration to authorized roles and accounts.
- Use asset criticality and user context to tune detections so routine operations do not overwhelm analysts.
- Maintain incident response playbooks that include review of Linux service enumeration in the broader timeline of account activity and host behavior.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux service-management command execution and reading `/etc/init.d`. No tactic, relationship context, or official detection logic was supplied, so this take focuses on practical validation, telemetry requirements, and tuning considerations rather than asserting specific adversary intent.
Assessment is limited to the official STIX fields and the single external reference provided. There are no supplied relationships, mapped techniques, tactics, detections, mitigations, adversary associations, or evidence of active exploitation. Local environment baselines are required to determine severity and alerting value.
Analytic 1326
Execution of service management commands like `systemctl list-units`, `service --status-all`, or direct reading of `/etc/init.d`.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 698bfd0b1d5d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1326Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.