Systemd service modified

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1569-system-services

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect modifications to system services.

Strategy

Especially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.

Triage and response

  1. Check to see what service was modified of created.
  2. Identify whether it is a known service, being modified by a known user and/or process.
  3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.

Requires Agent version 7.27 or greater

PREVIEWING: dgreen15/github-error-fix