T1569.003: Systemctl
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.[1]
Analyst context for executives and security teams
Systemctl matters because it is a normal Linux administration interface that can also be abused to run programs through system services. For leaders, the risk is not the tool itself but whether the organization can distinguish approved service administration from suspicious execution on Linux systems, especially where uptime, cloud workloads, or container-supporting hosts depend on systemd-managed services.
Executive priority
Prioritize this as a Linux execution visibility and privilege-governance issue. Security leaders should ask whether SOC and IR teams can see systemctl use, service starts/stops/enables/disables, and related account context on critical Linux assets. Because the supplied ATT&CK relationship maps mitigation to User Account Management, executive focus should include least privilege, account lifecycle controls, and evidence that service-management privileges are limited and auditable.
Technical view
This is an execution sub-technique under System Services for Linux. Defenders should validate coverage for systemctl invocations and systemd service activity, including common administrative subcommands such as start, stop, enable, disable, and status. ATT&CK provides no official detection text for this object, but a related detection strategy, DET0073, is linked. Detection engineering should therefore be based on local baselines: which users, scripts, automation tools, and maintenance windows normally manage services, and which service changes or executions are unusual for the host role.
Likely telemetry
- Linux process execution telemetry showing systemctl command lines and parent processes
- Authentication, sudo, and privilege-escalation logs tied to the user or service account invoking systemctl
- systemd/journald or syslog records for service start, stop, enable, disable, and status activity
- Service unit metadata and file-change evidence where systemctl execution is associated with Systemd Service behavior
- Host inventory and role context to distinguish expected administration from unusual service activity
Detection direction
- Validate that Linux endpoints and servers collect command-line process telemetry for systemctl, not just generic process names.
- Tune detections against approved administration patterns, automation accounts, configuration management activity, and maintenance windows to reduce false positives.
- Correlate systemctl activity with user identity, privilege level, parent process, host role, and service name rather than alerting on every use of the tool.
- Review DET0073, the related detection strategy, as the ATT&CK-linked detection context, but confirm the strategy is implemented against local telemetry.
- Watch for blind spots on minimal Linux builds, cloud workloads, container hosts, or servers where journald/syslog retention is short or command-line logging is incomplete.
Mitigation priorities
- Apply User Account Management controls by limiting who can manage system services and enforcing least privilege for service-management permissions.
- Review and remove stale, shared, or over-privileged Linux accounts that can invoke privileged service actions.
- Require auditable administrative paths for service changes, including approved automation and change-control evidence where appropriate.
- Harden monitoring and retention for Linux service-management logs on business-critical systems before relying on detections.
- Use incident response playbooks that treat suspicious systemctl activity as execution context requiring validation of the invoking account, service, command, and host role.
Analyst notes and limits
The ATT&CK object is new in version 19.1 and has no official detection text. The relationship to TeamTNT indicates ATT&CK-documented use by that group, whose description references cloud and containerized environments, but this does not by itself establish current activity or exposure in any specific environment. The relationship to System Services and Systemd Service context is important for interpreting systemctl as service-based execution rather than merely a command-line utility.
This take is limited to the supplied ATT&CK fields, external reference, and relationships. It does not assert active exploitation, vendor coverage, or guaranteed detection. Local Linux architecture, logging configuration, privilege model, and administrative baselines are required to determine actual risk and monitoring quality.
Systemctl
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569 | System Services | This object subtechnique of System Services. |
Groups, software, and campaigns
G0139: TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | adb2dc1bcd6f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Red Hat Systemctl 2022
Damon Garn. (2022, May 17). How to use systemctl to manage Linux services. Retrieved March 18, 2025.
Open source URL -
[2]
mitre-attack T1569.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.