Systemd Service Files

LinuxPersistence MechanismsDisk Image

Location

/etc/systemd/system/, /usr/lib/systemd/system/, ~/.config/systemd/user/

Description

Systemd unit files defining services, their ExecStart commands, restart policies, dependencies, and user contexts. Custom units can be placed in /etc/systemd/system/ to override or extend defaults.

Forensic Value

Malicious systemd services provide robust persistence that survives reboots and automatic restarts on failure. The ExecStart directive reveals the exact binary and arguments executed. Services set to Restart=always will respawn even if killed. Checking for recently created .service files in /etc/systemd/system/ with unusual ExecStart paths (e.g., /tmp, /dev/shm, or hidden directories) identifies attacker persistence.

Tools Required

systemctl list-unitsfindcatjournalctl -u

Collection Commands

tar

tar czf /forensics/output/systemd_units.tar.gz /etc/systemd/system/ /usr/lib/systemd/system/

find

find /etc/systemd/system/ -name "*.service" -mtime -30 -exec ls -la {} \; > /forensics/output/recent_services.txt

grep

grep -rn "ExecStart" /etc/systemd/system/*.service > /forensics/output/service_execstart.txt

find

find /home -path "*/.config/systemd/user/*.service" -exec cp --parents {} /forensics/output/ \;

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1543.002T1569.001T1059.004

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage