Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1774-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1782-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Indexes-CSV/index.csv

@@ -1033,6 +1033,14 @@ execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
+execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
+execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
+execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
+execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
+execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
+execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
+execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
+execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -407,6 +407,14 @@ execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with refer
 execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
 execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
+execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
+execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
+execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
+execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
+execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
+execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
+execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
+execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -1376,7 +1376,15 @@
   - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - [T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md)
   - Atomic Test #1: AutoHotKey script execution [windows]
-- T1569.003 Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1569.003 System Services: Systemctl](../../T1569.003/T1569.003.md)
+  - Atomic Test #1: Create and Enable a Malicious systemd Service Unit [linux]
+  - Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location) [linux]
+  - Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location) [linux]
+  - Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command [linux]
+  - Atomic Test #5: Execute Command via Transient systemd Service (systemd-run) [linux]
+  - Atomic Test #6: Enumerate All systemd Services Using systemctl [linux]
+  - Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart [linux]
+  - Atomic Test #8: Masquerade Malicious Service as Legitimate System Service [linux]
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]

atomics/Indexes/Matrices/linux-matrix.md

@@ -7,7 +7,7 @@
 | Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/Matrices/matrix.md

@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |

atomics/Indexes/azure-ad-index.yaml

@@ -23637,7 +23637,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23660,6 +23660,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/containers-index.yaml

@@ -23405,7 +23405,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23428,6 +23428,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/esxi-index.yaml

@@ -22946,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -23062,7 +23062,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23085,6 +23085,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -22946,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -23493,7 +23493,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23516,6 +23516,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -23409,7 +23409,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23432,6 +23432,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -23350,7 +23350,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23373,6 +23373,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/index.yaml

@@ -52597,7 +52597,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -52620,7 +52620,586 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
-    atomic_tests: []
+      identifier: T1569.003
+    atomic_tests:
+    - name: Create and Enable a Malicious systemd Service Unit
+      auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
+      description: |
+        Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+        systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+        to establish persistence or execute arbitrary commands under the context of systemd.
+
+        This simulates the full attacker workflow: writing the unit file, reloading the systemd
+        daemon, enabling the service to survive reboots, and starting it immediately. This is
+        consistent with techniques observed in ransomware precursor activity and post-exploitation
+        frameworks targeting Linux infrastructure.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the malicious service to create
+          type: string
+          default: atomic-test
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
+          Ensure systemd is installed."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_service_output.txt
+    - name: Create systemd Service Unit from /tmp (Unusual Location)
+      auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
+      description: |
+        Creates a systemd service unit file in /tmp and loads it using systemctl start with
+        an absolute path. Adversaries may write service unit files to world-writable directories
+        such as /tmp to avoid triggering alerts on new file creation in standard service
+        directories, or to execute payloads transiently without permanently installing a service.
+
+        Loading a service unit from an arbitrary path rather than a standard systemd directory
+        is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /tmp
+          type: path
+          default: "/tmp/atomic_tmp.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/tmp must exist and be writable\n"
+        prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "/tmp does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic Tmp Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_tmp_output.txt
+    - name: Create systemd Service Unit from /dev/shm (Unusual Location)
+      auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
+      description: |
+        Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+        /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+        and does not persist across reboots, making it particularly attractive to adversaries
+        seeking to execute transient payloads while evading file-based forensic detection.
+
+        This technique has been observed in post-exploitation scenarios where attackers
+        deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /dev/shm
+          type: path
+          default: "/dev/shm/atomic_shm.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/dev/shm must exist and be writable\n"
+        prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic SHM Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_shm_output.txt
+    - name: Modify Existing systemd Service to Execute Malicious Command
+      auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
+      description: |
+        Creates a service unit file that initially runs a benign command, then modifies the
+        ExecStart directive using sed to substitute a malicious command before reloading and
+        restarting the service. Adversaries may hijack existing services to blend in with normal
+        service activity and avoid triggering detections focused solely on new service creation.
+
+        This technique reflects the tradecraft observed in more sophisticated intrusions where
+        blending into existing process trees is a priority over creating net-new services.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the service to create and then modify for the test
+          type: string
+          default: atomic-modify-test
+        malicious_command:
+          description: Malicious command to substitute into ExecStart
+          type: string
+          default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'sed must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
+          fi
+
+          '
+        get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
+          sed 2>/dev/null || echo "Could not install sed automatically."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_hijack_output.txt
+    - name: Execute Command via Transient systemd Service (systemd-run)
+      auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+      description: |
+        Uses systemd-run to execute a command as a transient systemd service without creating
+        a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+        commands under the context of systemd while bypassing controls that monitor for new
+        unit file creation, since transient services exist only in memory for their lifetime.
+
+        This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+        the service disappears from systemctl list-units once execution completes.
+      supported_platforms:
+      - linux
+      input_arguments:
+        unit_name:
+          description: Name of the transient systemd unit to create
+          type: string
+          default: atomic-transient
+        command_to_run:
+          description: Command to execute as a transient service
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemd-run must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
+          installed and up to date."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          systemd-run --unit=#{unit_name} --wait #{command_to_run}
+          systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+        cleanup_command: |
+          systemctl stop #{unit_name}.service 2>/dev/null || true
+          rm -f /tmp/atomic_transient_output.txt
+    - name: Enumerate All systemd Services Using systemctl
+      auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+      description: |
+        Enumerates all systemd services and their current states using systemctl list-units
+        and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+        to identify targets for hijacking, understand the host environment, map installed
+        security tooling, or identify gaps in monitoring coverage.
+
+        Service enumeration is a common reconnaissance step during post-exploitation and may
+        precede service hijacking or masquerading activity. This test does not require
+        elevation as service listing is available to unprivileged users on most Linux systems.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          systemctl list-units --type=service --all
+          systemctl list-unit-files --type=service
+        cleanup_command: 'echo "No cleanup required"
+
+          '
+    - name: Enable systemd Service for Persistence with Auto-Restart
+      auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+      description: |
+        Creates a payload script and a systemd service unit that executes it, then enables
+        the service to survive reboots using systemctl enable. The service is configured with
+        Restart=always to automatically restart on failure, mimicking the persistence mechanism
+        used by adversaries deploying backdoors or beacons on Linux hosts.
+
+        This technique is consistent with observed post-exploitation tradecraft where adversaries
+        establish a foothold that survives reboots and self-heals after interruption, complicating
+        incident response and remediation efforts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the persistence service to create
+          type: string
+          default: atomic-persist
+        payload_path:
+          description: Path to the payload script that the service will execute
+          type: path
+          default: "/tmp/atomic_payload.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Payload script must exist at the specified path
+
+          '
+        prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: |
+          echo '#!/bin/bash' > #{payload_path}
+          echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+          chmod +x #{payload_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+          echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+          systemctl daemon-reload
+          rm -f #{payload_path}
+          rm -f /tmp/atomic_persist_output.txt
+    - name: Masquerade Malicious Service as Legitimate System Service
+      auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
+      description: |
+        Creates a systemd service with a name and description closely resembling a legitimate
+        system service to blend in with normal service activity. Adversaries may deliberately
+        choose service names similar to well-known system services such as systemd-networkd,
+        cron, or ssh to evade detection from analysts reviewing service lists or automated
+        alerting on service names.
+
+        This masquerading technique is particularly effective in environments where detection
+        relies on service name allowlists or manual review of systemctl list-units output
+        rather than behavioural analysis of service unit file contents and ExecStart paths.
+      supported_platforms:
+      - linux
+      input_arguments:
+        masquerade_name:
+          description: Service name designed to closely mimic a legitimate system
+            service
+          type: string
+          default: systemd-network-helper
+        command_to_run:
+          description: Command the masquerading service will execute
+          type: string
+          default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Chosen masquerade service name must not already exist as a real
+          service
+
+          '
+        prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
+          then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
+          Change the masquerade_name input argument to avoid conflicts."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+          echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          systemctl start #{masquerade_name}.service
+          systemctl status #{masquerade_name}.service
+        cleanup_command: |
+          systemctl stop #{masquerade_name}.service 2>/dev/null || true
+          systemctl disable #{masquerade_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_masquerade_output.txt
   T1059.009:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -28422,7 +28422,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -28445,7 +28445,586 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
-    atomic_tests: []
+      identifier: T1569.003
+    atomic_tests:
+    - name: Create and Enable a Malicious systemd Service Unit
+      auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
+      description: |
+        Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+        systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+        to establish persistence or execute arbitrary commands under the context of systemd.
+
+        This simulates the full attacker workflow: writing the unit file, reloading the systemd
+        daemon, enabling the service to survive reboots, and starting it immediately. This is
+        consistent with techniques observed in ransomware precursor activity and post-exploitation
+        frameworks targeting Linux infrastructure.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the malicious service to create
+          type: string
+          default: atomic-test
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
+          Ensure systemd is installed."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_service_output.txt
+    - name: Create systemd Service Unit from /tmp (Unusual Location)
+      auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
+      description: |
+        Creates a systemd service unit file in /tmp and loads it using systemctl start with
+        an absolute path. Adversaries may write service unit files to world-writable directories
+        such as /tmp to avoid triggering alerts on new file creation in standard service
+        directories, or to execute payloads transiently without permanently installing a service.
+
+        Loading a service unit from an arbitrary path rather than a standard systemd directory
+        is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /tmp
+          type: path
+          default: "/tmp/atomic_tmp.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/tmp must exist and be writable\n"
+        prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "/tmp does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic Tmp Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_tmp_output.txt
+    - name: Create systemd Service Unit from /dev/shm (Unusual Location)
+      auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
+      description: |
+        Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+        /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+        and does not persist across reboots, making it particularly attractive to adversaries
+        seeking to execute transient payloads while evading file-based forensic detection.
+
+        This technique has been observed in post-exploitation scenarios where attackers
+        deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_path:
+          description: Full path to the service file to be written in /dev/shm
+          type: path
+          default: "/dev/shm/atomic_shm.service"
+        command_to_run:
+          description: Command the service will execute
+          type: string
+          default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: "/dev/shm must exist and be writable\n"
+        prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
+          system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > #{service_path}
+          echo "Description=Atomic SHM Service" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Service]" >> #{service_path}
+          echo "ExecStart=#{command_to_run}" >> #{service_path}
+          echo "" >> #{service_path}
+          echo "[Install]" >> #{service_path}
+          echo "WantedBy=multi-user.target" >> #{service_path}
+          systemctl link #{service_path}
+          systemctl start $(basename #{service_path})
+          systemctl status $(basename #{service_path})
+        cleanup_command: |
+          systemctl stop $(basename #{service_path}) 2>/dev/null || true
+          rm -f #{service_path}
+          rm -f /tmp/atomic_shm_output.txt
+    - name: Modify Existing systemd Service to Execute Malicious Command
+      auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
+      description: |
+        Creates a service unit file that initially runs a benign command, then modifies the
+        ExecStart directive using sed to substitute a malicious command before reloading and
+        restarting the service. Adversaries may hijack existing services to blend in with normal
+        service activity and avoid triggering detections focused solely on new service creation.
+
+        This technique reflects the tradecraft observed in more sophisticated intrusions where
+        blending into existing process trees is a priority over creating net-new services.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the service to create and then modify for the test
+          type: string
+          default: atomic-modify-test
+        malicious_command:
+          description: Malicious command to substitute into ExecStart
+          type: string
+          default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'sed must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
+          fi
+
+          '
+        get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
+          sed 2>/dev/null || echo "Could not install sed automatically."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_hijack_output.txt
+    - name: Execute Command via Transient systemd Service (systemd-run)
+      auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+      description: |
+        Uses systemd-run to execute a command as a transient systemd service without creating
+        a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+        commands under the context of systemd while bypassing controls that monitor for new
+        unit file creation, since transient services exist only in memory for their lifetime.
+
+        This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+        the service disappears from systemctl list-units once execution completes.
+      supported_platforms:
+      - linux
+      input_arguments:
+        unit_name:
+          description: Name of the transient systemd unit to create
+          type: string
+          default: atomic-transient
+        command_to_run:
+          description: Command to execute as a transient service
+          type: string
+          default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemd-run must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
+          exit 1; fi
+
+          '
+        get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
+          installed and up to date."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          systemd-run --unit=#{unit_name} --wait #{command_to_run}
+          systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+        cleanup_command: |
+          systemctl stop #{unit_name}.service 2>/dev/null || true
+          rm -f /tmp/atomic_transient_output.txt
+    - name: Enumerate All systemd Services Using systemctl
+      auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+      description: |
+        Enumerates all systemd services and their current states using systemctl list-units
+        and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+        to identify targets for hijacking, understand the host environment, map installed
+        security tooling, or identify gaps in monitoring coverage.
+
+        Service enumeration is a common reconnaissance step during post-exploitation and may
+        precede service hijacking or masquerading activity. This test does not require
+        elevation as service listing is available to unprivileged users on most Linux systems.
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          systemctl list-units --type=service --all
+          systemctl list-unit-files --type=service
+        cleanup_command: 'echo "No cleanup required"
+
+          '
+    - name: Enable systemd Service for Persistence with Auto-Restart
+      auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+      description: |
+        Creates a payload script and a systemd service unit that executes it, then enables
+        the service to survive reboots using systemctl enable. The service is configured with
+        Restart=always to automatically restart on failure, mimicking the persistence mechanism
+        used by adversaries deploying backdoors or beacons on Linux hosts.
+
+        This technique is consistent with observed post-exploitation tradecraft where adversaries
+        establish a foothold that survives reboots and self-heals after interruption, complicating
+        incident response and remediation efforts.
+      supported_platforms:
+      - linux
+      input_arguments:
+        service_name:
+          description: Name of the persistence service to create
+          type: string
+          default: atomic-persist
+        payload_path:
+          description: Path to the payload script that the service will execute
+          type: path
+          default: "/tmp/atomic_payload.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Payload script must exist at the specified path
+
+          '
+        prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: |
+          echo '#!/bin/bash' > #{payload_path}
+          echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+          chmod +x #{payload_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+          echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+          echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+          echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+          echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+          echo "" >> /etc/systemd/system/#{service_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+          systemctl daemon-reload
+          systemctl enable #{service_name}.service
+          systemctl start #{service_name}.service
+          systemctl status #{service_name}.service
+        cleanup_command: |
+          systemctl stop #{service_name}.service 2>/dev/null || true
+          systemctl disable #{service_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{service_name}.service
+          rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+          systemctl daemon-reload
+          rm -f #{payload_path}
+          rm -f /tmp/atomic_persist_output.txt
+    - name: Masquerade Malicious Service as Legitimate System Service
+      auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
+      description: |
+        Creates a systemd service with a name and description closely resembling a legitimate
+        system service to blend in with normal service activity. Adversaries may deliberately
+        choose service names similar to well-known system services such as systemd-networkd,
+        cron, or ssh to evade detection from analysts reviewing service lists or automated
+        alerting on service names.
+
+        This masquerading technique is particularly effective in environments where detection
+        relies on service name allowlists or manual review of systemctl list-units output
+        rather than behavioural analysis of service unit file contents and ExecStart paths.
+      supported_platforms:
+      - linux
+      input_arguments:
+        masquerade_name:
+          description: Service name designed to closely mimic a legitimate system
+            service
+          type: string
+          default: systemd-network-helper
+        command_to_run:
+          description: Command the masquerading service will execute
+          type: string
+          default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'systemctl must be available on the system
+
+          '
+        prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
+          1; fi
+
+          '
+        get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
+          on this system."
+
+          '
+      - description: 'The test must be run as root or with sudo privileges
+
+          '
+        prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "This test requires root privileges. Run as root
+          or use sudo."
+
+          '
+      - description: "/etc/systemd/system/ directory must exist and be writable\n"
+        prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
+          ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
+
+          '
+      - description: 'Chosen masquerade service name must not already exist as a real
+          service
+
+          '
+        prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
+          then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
+          Change the masquerade_name input argument to avoid conflicts."
+
+          '
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+          echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+          echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          systemctl start #{masquerade_name}.service
+          systemctl status #{masquerade_name}.service
+        cleanup_command: |
+          systemctl stop #{masquerade_name}.service 2>/dev/null || true
+          systemctl disable #{masquerade_name}.service 2>/dev/null || true
+          rm -f /etc/systemd/system/#{masquerade_name}.service
+          systemctl daemon-reload
+          rm -f /tmp/atomic_masquerade_output.txt
   T1059.009:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -26454,7 +26454,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -26477,6 +26477,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -23178,7 +23178,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23201,6 +23201,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/saas-index.yaml

@@ -22946,7 +22946,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,6 +22969,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/Indexes/windows-index.yaml

@@ -42968,7 +42968,7 @@ execution:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       modified: '2025-04-15T19:58:28.694Z'
-      name: Systemctl
+      name: 'System Services: Systemctl'
       description: "Adversaries may abuse systemctl to execute commands or programs.
         Systemctl is the primary interface for systemd, the Linux init system and
         service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -42991,6 +42991,7 @@ execution:
       - Linux
       x_mitre_version: '1.0'
       x_mitre_remote_support: false
+      identifier: T1569.003
     atomic_tests: []
   T1059.009:
     technique:

atomics/T1569.003/T1569.003.md

@@ -0,0 +1,735 @@
+# T1569.003 - System Services: Systemctl
+
+## Description from ATT&CK
+
+> Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
+> 
+> Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)
+
+[Source](https://attack.mitre.org/techniques/T1569/003)
+
+## Atomic Tests
+
+- [Atomic Test #1: Create and Enable a Malicious systemd Service Unit](#atomic-test-1-create-and-enable-a-malicious-systemd-service-unit)
+- [Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)](#atomic-test-2-create-systemd-service-unit-from-tmp-unusual-location)
+- [Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)](#atomic-test-3-create-systemd-service-unit-from-devshm-unusual-location)
+- [Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command](#atomic-test-4-modify-existing-systemd-service-to-execute-malicious-command)
+- [Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)](#atomic-test-5-execute-command-via-transient-systemd-service-systemd-run)
+- [Atomic Test #6: Enumerate All systemd Services Using systemctl](#atomic-test-6-enumerate-all-systemd-services-using-systemctl)
+- [Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart](#atomic-test-7-enable-systemd-service-for-persistence-with-auto-restart)
+- [Atomic Test #8: Masquerade Malicious Service as Legitimate System Service](#atomic-test-8-masquerade-malicious-service-as-legitimate-system-service)
+
+### Atomic Test #1: Create and Enable a Malicious systemd Service Unit
+
+Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
+systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
+to establish persistence or execute arbitrary commands under the context of systemd.
+
+This simulates the full attacker workflow: writing the unit file, reloading the systemd
+daemon, enabling the service to survive reboots, and starting it immediately. This is
+consistent with techniques observed in ransomware precursor activity and post-exploitation
+frameworks targeting Linux infrastructure.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `e58c8723-5503-4533-b642-535cd20ec648`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the malicious service to create | string | atomic-test|
+| command_to_run | Command the service will execute | string | /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
+echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl enable #{service_name}.service
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_service_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable. Ensure systemd is installed."
+```
+
+### Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location)
+
+Creates a systemd service unit file in /tmp and loads it using systemctl start with
+an absolute path. Adversaries may write service unit files to world-writable directories
+such as /tmp to avoid triggering alerts on new file creation in standard service
+directories, or to execute payloads transiently without permanently installing a service.
+
+Loading a service unit from an arbitrary path rather than a standard systemd directory
+is unusual behaviour that should be detectable by monitoring systemctl command arguments.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `a1fa406e-2354-4a24-b6d6-94157e7564d4`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_path | Full path to the service file to be written in /tmp | path | /tmp/atomic_tmp.service|
+| command_to_run | Command the service will execute | string | /bin/bash -c "id > /tmp/atomic_tmp_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > #{service_path}
+echo "Description=Atomic Tmp Service" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Service]" >> #{service_path}
+echo "ExecStart=#{command_to_run}" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Install]" >> #{service_path}
+echo "WantedBy=multi-user.target" >> #{service_path}
+systemctl link #{service_path}
+systemctl start $(basename #{service_path})
+systemctl status $(basename #{service_path})
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop $(basename #{service_path}) 2>/dev/null || true
+rm -f #{service_path}
+rm -f /tmp/atomic_tmp_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: /tmp must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/tmp does not exist or is not writable on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location)
+
+Creates a systemd service unit file in /dev/shm and loads it using systemctl.
+/dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
+and does not persist across reboots, making it particularly attractive to adversaries
+seeking to execute transient payloads while evading file-based forensic detection.
+
+This technique has been observed in post-exploitation scenarios where attackers
+deliberately avoid writing to disk-backed locations to limit forensic artefacts.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `dce49381-a26b-4d95-bdfa-c607ffe8bee5`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_path | Full path to the service file to be written in /dev/shm | path | /dev/shm/atomic_shm.service|
+| command_to_run | Command the service will execute | string | /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > #{service_path}
+echo "Description=Atomic SHM Service" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Service]" >> #{service_path}
+echo "ExecStart=#{command_to_run}" >> #{service_path}
+echo "" >> #{service_path}
+echo "[Install]" >> #{service_path}
+echo "WantedBy=multi-user.target" >> #{service_path}
+systemctl link #{service_path}
+systemctl start $(basename #{service_path})
+systemctl status $(basename #{service_path})
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop $(basename #{service_path}) 2>/dev/null || true
+rm -f #{service_path}
+rm -f /tmp/atomic_shm_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: /dev/shm must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/dev/shm does not exist or is not writable on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command
+
+Creates a service unit file that initially runs a benign command, then modifies the
+ExecStart directive using sed to substitute a malicious command before reloading and
+restarting the service. Adversaries may hijack existing services to blend in with normal
+service activity and avoid triggering detections focused solely on new service creation.
+
+This technique reflects the tradecraft observed in more sophisticated intrusions where
+blending into existing process trees is a priority over creating net-new services.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `6123928f-6389-4914-8d25-a5d69bd657fa`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the service to create and then modify for the test | string | atomic-modify-test|
+| malicious_command | Malicious command to substitute into ExecStart | string | /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_hijack_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: sed must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v sed)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+apt-get install -y sed 2>/dev/null || yum install -y sed 2>/dev/null || echo "Could not install sed automatically."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+### Atomic Test #5: Execute Command via Transient systemd Service (systemd-run)
+
+Uses systemd-run to execute a command as a transient systemd service without creating
+a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
+commands under the context of systemd while bypassing controls that monitor for new
+unit file creation, since transient services exist only in memory for their lifetime.
+
+This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
+the service disappears from systemctl list-units once execution completes.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| unit_name | Name of the transient systemd unit to create | string | atomic-transient|
+| command_to_run | Command to execute as a transient service | string | /bin/bash -c "id > /tmp/atomic_transient_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+systemd-run --unit=#{unit_name} --wait #{command_to_run}
+systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{unit_name}.service 2>/dev/null || true
+rm -f /tmp/atomic_transient_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemd-run must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemd-run is not available. Ensure systemd is installed and up to date."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+### Atomic Test #6: Enumerate All systemd Services Using systemctl
+
+Enumerates all systemd services and their current states using systemctl list-units
+and systemctl list-unit-files. Adversaries may enumerate running and enabled services
+to identify targets for hijacking, understand the host environment, map installed
+security tooling, or identify gaps in monitoring coverage.
+
+Service enumeration is a common reconnaissance step during post-exploitation and may
+precede service hijacking or masquerading activity. This test does not require
+elevation as service listing is available to unprivileged users on most Linux systems.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `1e5be8d4-605a-4acb-8709-2f80b2d8ea95`
+
+#### Attack Commands: Run with `sh`!
+
+```sh
+systemctl list-units --type=service --all
+systemctl list-unit-files --type=service
+```
+
+#### Cleanup Commands
+
+```sh
+echo "No cleanup required"
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+### Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart
+
+Creates a payload script and a systemd service unit that executes it, then enables
+the service to survive reboots using systemctl enable. The service is configured with
+Restart=always to automatically restart on failure, mimicking the persistence mechanism
+used by adversaries deploying backdoors or beacons on Linux hosts.
+
+This technique is consistent with observed post-exploitation tradecraft where adversaries
+establish a foothold that survives reboots and self-heals after interruption, complicating
+incident response and remediation efforts.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the persistence service to create | string | atomic-persist|
+| payload_path | Path to the payload script that the service will execute | path | /tmp/atomic_payload.sh|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{service_name}.service
+echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Service]" >> /etc/systemd/system/#{service_name}.service
+echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
+echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
+echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
+echo "" >> /etc/systemd/system/#{service_name}.service
+echo "[Install]" >> /etc/systemd/system/#{service_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
+systemctl daemon-reload
+systemctl enable #{service_name}.service
+systemctl start #{service_name}.service
+systemctl status #{service_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{service_name}.service 2>/dev/null || true
+systemctl disable #{service_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{service_name}.service
+rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
+systemctl daemon-reload
+rm -f #{payload_path}
+rm -f /tmp/atomic_persist_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+##### Description: Payload script must exist at the specified path
+
+###### Check Prereq Commands
+
+```sh
+if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo '#!/bin/bash' > #{payload_path}
+echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
+chmod +x #{payload_path}
+```
+
+### Atomic Test #8: Masquerade Malicious Service as Legitimate System Service
+
+Creates a systemd service with a name and description closely resembling a legitimate
+system service to blend in with normal service activity. Adversaries may deliberately
+choose service names similar to well-known system services such as systemd-networkd,
+cron, or ssh to evade detection from analysts reviewing service lists or automated
+alerting on service names.
+
+This masquerading technique is particularly effective in environments where detection
+relies on service name allowlists or manual review of systemctl list-units output
+rather than behavioural analysis of service unit file contents and ExecStart paths.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `6fec8560-ff64-4bbf-bc79-734fea48f7ca`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| masquerade_name | Service name designed to closely mimic a legitimate system service | string | systemd-network-helper|
+| command_to_run | Command the masquerading service will execute | string | /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
+echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
+echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
+echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
+echo "" >> /etc/systemd/system/#{masquerade_name}.service
+echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
+echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
+echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
+echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
+echo "" >> /etc/systemd/system/#{masquerade_name}.service
+echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
+echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
+systemctl daemon-reload
+systemctl start #{masquerade_name}.service
+systemctl status #{masquerade_name}.service
+```
+
+#### Cleanup Commands
+
+```sh
+systemctl stop #{masquerade_name}.service 2>/dev/null || true
+systemctl disable #{masquerade_name}.service 2>/dev/null || true
+rm -f /etc/systemd/system/#{masquerade_name}.service
+systemctl daemon-reload
+rm -f /tmp/atomic_masquerade_output.txt
+```
+
+#### Dependencies: Run with `sh`!
+
+##### Description: systemctl must be available on the system
+
+###### Check Prereq Commands
+
+```sh
+if [ -x "$(command -v systemctl)" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "systemctl is not available. Ensure systemd is running on this system."
+```
+
+##### Description: The test must be run as root or with sudo privileges
+
+###### Check Prereq Commands
+
+```sh
+if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "This test requires root privileges. Run as root or use sudo."
+```
+
+##### Description: /etc/systemd/system/ directory must exist and be writable
+
+###### Check Prereq Commands
+
+```sh
+if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system" ]; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "/etc/systemd/system/ does not exist or is not writable."
+```
+
+##### Description: Chosen masquerade service name must not already exist as a real service
+
+###### Check Prereq Commands
+
+```sh
+if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service"; then exit 0; else exit 1; fi
+```
+
+###### Get Prereq Commands
+
+```sh
+echo "A service named #{masquerade_name} already exists. Change the masquerade_name input argument to avoid conflicts."
+```
+

atomics/T1569.003/T1569.003.yaml

@@ -3,7 +3,7 @@ display_name: "System Services: Systemctl"
 atomic_tests:
 
   - name: Create and Enable a Malicious systemd Service Unit
-    auto_generated_guid:
+    auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
     description: |
       Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
       systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
@@ -71,7 +71,7 @@ atomic_tests:
 
 
   - name: Create systemd Service Unit from /tmp (Unusual Location)
-    auto_generated_guid:
+    auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
     description: |
       Creates a systemd service unit file in /tmp and loads it using systemctl start with
       an absolute path. Adversaries may write service unit files to world-writable directories
@@ -133,7 +133,7 @@ atomic_tests:
 
 
   - name: Create systemd Service Unit from /dev/shm (Unusual Location)
-    auto_generated_guid:
+    auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
     description: |
       Creates a systemd service unit file in /dev/shm and loads it using systemctl.
       /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
@@ -195,7 +195,7 @@ atomic_tests:
 
 
   - name: Modify Existing systemd Service to Execute Malicious Command
-    auto_generated_guid:
+    auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
     description: |
       Creates a service unit file that initially runs a benign command, then modifies the
       ExecStart directive using sed to substitute a malicious command before reloading and
@@ -267,7 +267,7 @@ atomic_tests:
 
 
   - name: Execute Command via Transient systemd Service (systemd-run)
-    auto_generated_guid:
+    auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
     description: |
       Uses systemd-run to execute a command as a transient systemd service without creating
       a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
@@ -313,7 +313,7 @@ atomic_tests:
 
 
   - name: Enumerate All systemd Services Using systemctl
-    auto_generated_guid:
+    auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
     description: |
       Enumerates all systemd services and their current states using systemctl list-units
       and systemctl list-unit-files. Adversaries may enumerate running and enabled services
@@ -344,7 +344,7 @@ atomic_tests:
 
 
   - name: Enable systemd Service for Persistence with Auto-Restart
-    auto_generated_guid:
+    auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
     description: |
       Creates a payload script and a systemd service unit that executes it, then enables
       the service to survive reboots using systemctl enable. The service is configured with
@@ -423,7 +423,7 @@ atomic_tests:
 
 
   - name: Masquerade Malicious Service as Legitimate System Service
-    auto_generated_guid:
+    auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
     description: |
       Creates a systemd service with a name and description closely resembling a legitimate
       system service to blend in with normal service activity. Adversaries may deliberately

atomics/used_guids.txt

@@ -1801,3 +1801,11 @@ c7be89f7-5d06-4321-9f90-8676a77e0502
 6683baf0-6e77-4f58-b114-814184ea8150
 c2ca068a-eb1e-498f-9f93-3d554c455916
 0ee8081f-e9a7-4a2e-a23f-68473023184f
+e58c8723-5503-4533-b642-535cd20ec648
+a1fa406e-2354-4a24-b6d6-94157e7564d4
+dce49381-a26b-4d95-bdfa-c607ffe8bee5
+6123928f-6389-4914-8d25-a5d69bd657fa
+a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
+1e5be8d4-605a-4acb-8709-2f80b2d8ea95
+2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
+6fec8560-ff64-4bbf-bc79-734fea48f7ca