Potential Proxy Execution via Systemd-run
This rule detects the execution of a command or binary through the systemd-run binary. Systemd-run can schedule commands to be executed in the background through systemd. Attackers may use this technique to execute commands while attempting to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/07/02"
3integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2026/07/06"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the execution of a command or binary through the systemd-run binary. Systemd-run can schedule commands
11to be executed in the background through systemd. Attackers may use this technique to execute commands while attempting
12to evade detection.
13"""
14from = "now-9m"
15index = [
16 "auditbeat-*",
17 "endgame-*",
18 "logs-auditd_manager.auditd-*",
19 "logs-endpoint.events.process*",
20 "logs-sentinel_one_cloud_funnel.*",
21 "logs-crowdstrike.fdr*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Potential Proxy Execution via Systemd-run"
26note = """ ## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Potential Proxy Execution via Systemd-run
32
33This alert fires when a Linux process launches another command through systemd-run instead of executing it directly, which can hide execution behind a trusted system utility and detach it into a transient service or scope. An attacker might use systemd-run --user or a transient unit to start a shell, downloader, or credential-harvesting script in the background from an interactive session, reducing visibility into the real payload and parent-child chain.
34
35### Possible investigation steps
36
37- Reconstruct the full process tree around the event to determine which user, shell, script, service, or remote access session invoked systemd-run and whether the ancestry aligns with normal administrative or automation activity on that host.
38- Review the exact command passed through systemd-run, including flags such as --user, --scope, scheduling options, or custom unit names, and classify the spawned payload as expected software management, benign interactive use, or suspicious shell, downloader, or persistence behavior.
39- Query systemd and journal artifacts for the transient unit that was created, including unit properties, start time, execution account, service output, and whether the unit remained active, failed, or was configured to run again.
40- Correlate the execution with nearby events from the same user or host such as logins, sudo activity, file creation in writable locations, outbound network connections, or follow-on launches of interpreters and admin tools to identify a broader intrusion sequence.
41- If the activity is unauthorized or unclear, inspect the referenced binary or script for path reputation, package ownership, hash prevalence, and recent modification history, then stop the transient unit and contain any files or persistence it introduced.
42
43### False positive analysis
44
45- A legitimate administrator or maintenance script may use `systemd-run` to launch a transient unit for package updates, cache rebuilds, or controlled service restarts, so verify the initiating user, the parent script or shell history, and nearby package-management or scheduled change activity.
46- A normal desktop or user session can invoke `systemd-run --user` or `--scope` to start an application, terminal, or session task in a transient scope, so confirm the parent process belongs to the logged-in user’s graphical session and that the spawned command matches expected interactive activity in systemd or journal logs.
47
48### Response and remediation
49
50- Isolate the affected Linux host from the network except for approved management channels, terminate the malicious `systemd-run` transient unit or scope, and kill any child shell, downloader, or script it launched.
51- Remove attacker persistence by deleting unauthorized unit files and drop-ins from `/etc/systemd/system/`, `/run/systemd/transient/`, `/var/lib/systemd/`, and affected users’ `~/.config/systemd/user/` directories, then run `systemctl daemon-reload` and disable any malicious timers or services.
52- Preserve and quarantine the executed payload, related scripts, and any files created from writable locations such as `/tmp`, `/var/tmp`, `/dev/shm`, or a user home directory, and revoke exposed access by resetting compromised passwords, SSH keys, tokens, and sudo access tied to the initiating account.
53- Restore the system to a known-good state by reimaging or rebuilding the host from a trusted baseline if the command ran as `root`, modified security tooling, or executed an unknown binary, and validate that only approved packages, services, and startup entries remain before returning it to production.
54- Escalate to incident response immediately if the `systemd-run` activity spawned a reverse shell, downloader, credential access tool, or lateral movement utility, if similar transient units appear on multiple hosts, or if the affected account has privileged or production access.
55- Harden the environment by restricting who can invoke `systemd-run` through sudoers and privileged group membership, enforcing MFA and least privilege for administrative access, monitoring for new transient units and unexpected `--user` executions, and blocking execution from world-writable paths where the payload was staged.
56"""
57risk_score = 21
58rule_id = "a2e5e290-f534-4b71-bc3f-2dd1932b4cd6"
59setup = """## Setup
60
61This rule requires data coming in from one of the following integrations:
62- Elastic Defend
63- Auditbeat
64- Auditd Manager
65- CrowdStrike
66
67### Elastic Defend Integration Setup
68Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
69
70#### Prerequisite Requirements:
71- Fleet is required for Elastic Defend.
72- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
73
74#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
75- Go to the Kibana home page and click "Add integrations".
76- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
77- Click "Add Elastic Defend".
78- Configure the integration name and optionally add a description.
79- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
80- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
81- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
82- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
83For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
84- Click "Save and Continue".
85- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
86For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
87"""
88severity = "low"
89tags = [
90 "Domain: Endpoint",
91 "OS: Linux",
92 "Use Case: Threat Detection",
93 "Tactic: Defense Evasion",
94 "Tactic: Execution",
95 "Data Source: Elastic Endgame",
96 "Data Source: Elastic Defend",
97 "Data Source: Auditd Manager",
98 "Data Source: SentinelOne",
99 "Data Source: Crowdstrike",
100 "Resources: Investigation Guide",
101]
102timestamp_override = "event.ingested"
103type = "eql"
104query = '''
105process where host.os.type == "linux" and event.type == "start" and
106event.action in ("exec", "exec_event", "executed", "process_started", "start", "ProcessRollup2") and
107process.name == "systemd-run" and ?process.parent.executable != null and
108not (
109 ?process.parent.executable in (
110 "/usr/lib/systemd", "/lib/systemd/systemd", "/opt/saltstack/salt/run/run", "/etc/update-motd.d/70-available-updates",
111 "/tmp/newroot/usr/libexec/ptyxis-agent", "/usr/local/sbin/clamscan.sh", "/opt/sentinelone/bin/sentinelone-agent",
112 "/usr/local/bin/salt-minion", "/var/vanta/launcher", "/opt/traps/bin/pmd", "/usr/sbin/gdm", "/usr/bin/salt-minion",
113 "/opt/GC_Ext/GC/gc_linux_service", "/usr/lib/plesk-task-manager", "/opt/forticlient/epctrl", "/usr/lib/snapd/snap-exec",
114 "/usr/bin/yay", "/usr/local/bin/hexnode_agent", "/opt/halcyon/halcyonar/agent", "/usr/local/bin/qsetup", "/usr/bin/pamac",
115 "/usr/bin/elephant", "/usr/bin/Hyprland"
116 ) or
117 ?process.parent.executable like (
118 "/opt/tableau/tableau_server/packages/scripts.*/after-install", "/opt/acronis/bin/acp-update-controller", "/snap/*",
119 "/var/lib/amagent/*", "/opt/msp-agent/msp-agent-core", "/opt/beyondtrust/*", "/var/lib/rancher/k3s/*/bin/k3s"
120 ) or
121 ?process.parent.name like "platform-python*" or
122 ?process.parent.name in (
123 "udevadm", "daemon.start", "snap", "systemd", "ptyxis-agent", "run-slack", "run-firefox", "dbus.service", "k3s-server",
124 "systemd-udevd", "kubelet", "hyperkube", "kthreadd", "gnome-shell", "xdg-desktop-portal", "firefox", "picus_updater",
125 "rpm-ostree", "prompt-agent"
126 ) or
127 ?process.command_line in (
128 "/usr/bin/systemd-run /usr/bin/systemctl start man-db-cache-update", "systemd-run env",
129 "systemd-run --user dnf-automatic-notifyonly.timer", "systemd-run --user systemctl suspend", "systemd-run /var/lib/aws-replication-agent/uninstall-agent.sh",
130 "systemd-run --on-active=10 --timer-property=AccuracySec=100ms --slice=system.slice systemctl start gc-agent",
131 "systemd-run --user --scope --unit=tmux-server -- tmux", "systemd-run bash -c sleep 60 && reboot"
132 ) or
133 ?process.command_line like~ (
134 "systemd-run --scope -p CPUQuota=10% rpm -qa*", "systemd-run --scope -p CPUQuota=10% dpkg -l*"
135 ) or
136 ?process.parent.command_line in ("runc init", "/usr/local/bin/main") or
137 ?process.parent.command_line like ("*/var/lib/waagent/*", "bash ./run.sh") or
138 process.args in (
139 "--help", "list-timers", "/usr/lib/udev/kdump-udev-throttler", "kubectl", "--unit=ngt_guest_agent_upgrade", "i3-zoom", "google-chrome",
140 "thunar", "/usr/bin/google-chrome-stable", "snap.lxd.workaround", "--unit=firefox", "--unit=slack", "--slice=zoom.slice",
141 "autorandr-launcher", "--unit=restart-dbus", "--unit=autorandr-debounce"
142 ) or
143 process.args like ("--unit=app-Hyprland-wezterm-*.scope", "--unit=app-Hyprland-swaybg-*.scope", "--unit=rmf_sim_*") or
144 ?process.working_directory == "/opt/Tychon/Endpoint/bin" or
145 (process.args in ("rpm", "dpkg") and process.args like~ "CPUQuota=*") or
146 (process.args == "--slice=app-graphical.slice" and process.args == "--description=xdg-terminal-exec")
147)
148'''
149
150[[rule.threat]]
151framework = "MITRE ATT&CK"
152
153 [rule.threat.tactic]
154 name = "Defense Evasion"
155 id = "TA0005"
156 reference = "https://attack.mitre.org/tactics/TA0005/"
157
158 [[rule.threat.technique]]
159 id = "T1218"
160 name = "System Binary Proxy Execution"
161 reference = "https://attack.mitre.org/techniques/T1218/"
162
163 [[rule.threat.technique]]
164 name = "Hijack Execution Flow"
165 id = "T1574"
166 reference = "https://attack.mitre.org/techniques/T1574/"
167
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170
171 [rule.threat.tactic]
172 name = "Execution"
173 id = "TA0002"
174 reference = "https://attack.mitre.org/tactics/TA0002/"
175
176 [[rule.threat.technique]]
177 id = "T1059"
178 name = "Command and Scripting Interpreter"
179 reference = "https://attack.mitre.org/techniques/T1059/"
180
181 [[rule.threat.technique.subtechnique]]
182 name = "Unix Shell"
183 id = "T1059.004"
184 reference = "https://attack.mitre.org/techniques/T1059/004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Proxy Execution via Systemd-run
This alert fires when a Linux process launches another command through systemd-run instead of executing it directly, which can hide execution behind a trusted system utility and detach it into a transient service or scope. An attacker might use systemd-run --user or a transient unit to start a shell, downloader, or credential-harvesting script in the background from an interactive session, reducing visibility into the real payload and parent-child chain.
Possible investigation steps
- Reconstruct the full process tree around the event to determine which user, shell, script, service, or remote access session invoked systemd-run and whether the ancestry aligns with normal administrative or automation activity on that host.
- Review the exact command passed through systemd-run, including flags such as --user, --scope, scheduling options, or custom unit names, and classify the spawned payload as expected software management, benign interactive use, or suspicious shell, downloader, or persistence behavior.
- Query systemd and journal artifacts for the transient unit that was created, including unit properties, start time, execution account, service output, and whether the unit remained active, failed, or was configured to run again.
- Correlate the execution with nearby events from the same user or host such as logins, sudo activity, file creation in writable locations, outbound network connections, or follow-on launches of interpreters and admin tools to identify a broader intrusion sequence.
- If the activity is unauthorized or unclear, inspect the referenced binary or script for path reputation, package ownership, hash prevalence, and recent modification history, then stop the transient unit and contain any files or persistence it introduced.
False positive analysis
- A legitimate administrator or maintenance script may use
systemd-runto launch a transient unit for package updates, cache rebuilds, or controlled service restarts, so verify the initiating user, the parent script or shell history, and nearby package-management or scheduled change activity. - A normal desktop or user session can invoke
systemd-run --useror--scopeto start an application, terminal, or session task in a transient scope, so confirm the parent process belongs to the logged-in user’s graphical session and that the spawned command matches expected interactive activity in systemd or journal logs.
Response and remediation
- Isolate the affected Linux host from the network except for approved management channels, terminate the malicious
systemd-runtransient unit or scope, and kill any child shell, downloader, or script it launched. - Remove attacker persistence by deleting unauthorized unit files and drop-ins from
/etc/systemd/system/,/run/systemd/transient/,/var/lib/systemd/, and affected users’~/.config/systemd/user/directories, then runsystemctl daemon-reloadand disable any malicious timers or services. - Preserve and quarantine the executed payload, related scripts, and any files created from writable locations such as
/tmp,/var/tmp,/dev/shm, or a user home directory, and revoke exposed access by resetting compromised passwords, SSH keys, tokens, and sudo access tied to the initiating account. - Restore the system to a known-good state by reimaging or rebuilding the host from a trusted baseline if the command ran as
root, modified security tooling, or executed an unknown binary, and validate that only approved packages, services, and startup entries remain before returning it to production. - Escalate to incident response immediately if the
systemd-runactivity spawned a reverse shell, downloader, credential access tool, or lateral movement utility, if similar transient units appear on multiple hosts, or if the affected account has privileged or production access. - Harden the environment by restricting who can invoke
systemd-runthrough sudoers and privileged group membership, enforcing MFA and least privilege for administrative access, monitoring for new transient units and unexpected--userexecutions, and blocking execution from world-writable paths where the payload was staged.
Related rules
- Shared Object Load via LoLBin
- Potential Hex Payload Execution via Command-Line
- Attempt to Clear Kernel Ring Buffer
- Execution via GitHub Actions Runner
- Remote GitHub Actions Runner Registration