Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1543.002

T1543.002Systemd Service

T1543.002 — Systemd Service is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 10 detection use cases covering it and 10 threat-intel articles citing it.

PersistencePrivilege Escalation
View on the matrix → Filter Detection Library MITRE official spec ↗
10Use cases
10Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1543 · Create or Modify System Process

Use cases covering this technique (10)

[LLM] Atomic Arch: systemd unit with Restart=always dropped by non-package-manager process Bespoke install · hunting DSΣPDDCS [LLM] gh-token-monitor service install or rm -rf wiper command (Hades self-destruct) Bespoke actions · alerting DSΣPDDCS [LLM] Mini Shai-Hulud 'gh-token-monitor' persistence daemon (LaunchAgent / systemd) Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud Linux daemon persistence: kitty/cat.py and systemd user service Bespoke install · alerting DSΣPDDCS [LLM] TeamPCP sysmon.py systemd-user persistence on developer host Bespoke install · alerting DSΣPDD [LLM] OpenClaw persistence — launchd plist / systemd unit drop referencing 'openclaw' Bespoke install · alerting DSΣPDDCS [LLM] Linux user-systemd sysmon persistence drop (~/.config/sysmon/sysmon.py + sysmon.service) Bespoke install · alerting DSΣPDDCS [LLM] TeamPCP systemd backdoor — sysmon.py / sysmon.service persistence on CI runner Bespoke install · alerting DSΣPDD [LLM] CanisterWorm persistence: pglog/pg_state/internal-monitor systemd unit and /tmp/pglog drop Bespoke install · alerting DSΣPDDCS [LLM] wdavdaemon or MDE Linux endpoints observed on CI/CD build runners Bespoke install · hunting DSΣPDD

Articles citing this technique (10)

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
high Why developer machines are now the number one target for supply chain attacks art-208
crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account art-270
crit Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack art-400
crit Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw art-404
high You Patched LiteLLM, But Do You Know Your AI Blast Radius? art-414
high Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags art-428
high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444
high How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners art-795