Linux systemd unit deep audit User and system unit text inspected against U1-U7 — the Linux parallel to macos_launchd.
The existing persistent_sessions detector catches
one narrow systemd shape (ExecStart pointing at a user-writable
shell script). SystemdAuditDetector covers the rest of
the malicious-unit patterns documented across Linux malware
research (Symbiote, OrBit, BPFDoor, Earth Lusca's CrossLock
loader).
Scope
Consumes Artifacts emitted by the existing
linux.systemd collector:
user-unit:*— per-user units under~/.config/systemd/user/system-unit:*— operator-customized + runtime- generated units under/etc/systemd/systemand/run/systemd/system
The vendor-shipped /usr/lib/systemd/system tree is
intentionally out of scope (signed-package files; would generate
massive noise on fresh distro installs). Symlinks under
/etc/systemd/system typically alias into the vendor
tree and are skipped at collection time — the unit-dir:
listing artifact already records them by name + symlink_target.
Detection layers (U1–U7)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| U1 | high → critical | Network-fetch in any Exec* line. curl/wget/nc/socat/python-socket. Critical when piped to shell. | T1543.002 |
| U2 | medium | Long base64 or escaped-hex sequence in Exec lines. | T1027 |
| U3 | high | Interpreter (sh/bash/python/perl/ruby/node) + Restart=always/on-failure/on-abnormal/on-success = respawn loop. Honors the systemd +/-/@/! Exec-line modifiers. | T1059.004 |
| U4 | high | ExecStart in /tmp / /home / /root / .cache / .config AND [Install] section auto-enables it (WantedBy/RequiredBy). Boots auto-start running code with write-access surface. | T1546 |
| U5 | critical | User=root + writable Exec target. Canonical Linux setuid-via-systemd primitive — write access → root every fire. | T1543.002 |
| U6 | medium | Writable EnvironmentFile or LoadCredentialEncrypted path. Inject LD_PRELOAD / substitute credentials before service start. | T1546 |
| U7 | medium | Suspicious timer cadence — OnUnitActiveSec < 60s. Legitimate timers rarely fire sub-minute; fast-cadence is the canonical C2 / beacon poll shape. | T1053.006 |
No new CLI needed
The systemd collector already runs as part of
digger collect; the detector runs at
digger scan time.