atomic-red-team/atomics/T1501/T1501.yaml

---
attack_technique: T1501
display_name: Systemd Service

atomic_tests:
- name: Create Systemd Service
  description: |
    This test creates a Systemd service unit file and enables it as a service.

  supported_platforms:
    - linux

  input_arguments:
    execstart_action:
      description: ExecStart action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execstart-marker
    execstartpre_action:
      description: ExecStartPre action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execstartpre-marker
    execstartpost_action:
      description: ExecStartPost action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execstartpost-marker
    execreload_action:
      description: ExecReload action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execreload-marker
    execstop_action:
      description: ExecStop action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execstop-marker
    execstoppost_action:
      description: ExecStopPost action for Systemd service
      type: String
      default: /bin/touch /tmp/art-systemd-execstoppost-marker
    systemd_service_path:
      description: Path to systemd service unit file
      type: Path
      default: /etc/systemd/system
    systemd_service_file:
      description: File name of systemd service unit file
      type: String
      default: art-systemd-service.service

  executor:
    name: bash
    command: |
      echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
      echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
      echo "" >> #{systemd_service_path}/#{systemd_service_file}
      echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
      echo "Type=simple"
      echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
      echo "" >> #{systemd_service_path}/#{systemd_service_file}
      echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
      echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
      systemctl daemon-reload
      systemctl enable #{systemd_service_file}
      systemctl start #{systemd_service_file}
    cleanup_command: |
      systemctl stop #{systemd_service_file}
      systemctl disable #{systemd_service_file}
      rm -rf #{systemd_service_path}/#{systemd_service_file}
      systemctl daemon-reload