T1569.003 - Systemctl
Sub-technique
Tactics:
Execution
Execution
Platforms:
Linux
Linux
Detection:
Not specified
Not specified
Description:
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)
Adversaries may use systemctl to execute commands or programs as [Systemd Service](https://attack.mitre.org/techniques/T1543/002)s. Common subcommands include: `systemctl start`, `systemctl stop`, `systemctl enable`, `systemctl disable`, and `systemctl status`.(Citation: Red Hat Systemctl 2022)
Used by Actors (1)
Metadata
| MITRE ID: | T1569.003 |
| STIX ID: | attack-pattern--4b46767d-4a61-... |
| Platforms: | Linux |
| Created: | 13/01/2026 17:48 |
| Updated: | 14/03/2026 16:00 |