<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FortiClient - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/forticlient/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 14:39:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/forticlient/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Proxy Execution via Systemd-run on Linux</title><link>https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/</link><pubDate>Mon, 06 Jul 2026 14:39:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/</guid><description>This brief details how attackers may leverage the `systemd-run` utility on Linux systems for defense evasion and execution by running commands as detached, transient services or scopes to obscure their activities and parent-child process chains.</description><content:encoded><![CDATA[<p>This threat brief outlines a technique where adversaries utilize the <code>systemd-run</code> binary on Linux systems for proxy execution, a method aimed at defense evasion and enabling command execution. <code>systemd-run</code> is a legitimate system utility designed to schedule commands for background execution through <code>systemd</code>. Attackers can exploit this functionality to run malicious payloads, such as shells, downloaders, or credential-harvesting scripts, as transient services or scopes. This technique allows them to detach their processes, obscure the direct parent-child relationships in the process tree, and mask their activities behind a trusted system utility, significantly reducing visibility for defenders. The technique can be used post-initial access to establish persistence, expand access, or facilitate data exfiltration without directly revealing the true malicious parent process.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux system, often via exploitation of a vulnerable service, compromised credentials, or a successful phishing attempt.</li>
<li>After establishing a foothold, the attacker performs reconnaissance to understand the environment and identifies <code>systemd-run</code> as a potential tool for evading detection.</li>
<li>The attacker stages a malicious payload (e.g., a reverse shell script, a downloader for additional malware, or a credential harvesting tool) onto the compromised system, possibly in a temporary directory.</li>
<li>The attacker executes the malicious payload using <code>systemd-run</code>, typically with options like <code>--user</code> or <code>--scope</code>, to launch it as a transient systemd unit or scope, detaching it from the initiating process.</li>
<li><code>systemd-run</code> acts as a proxy, launching the malicious command or script in the background, making it appear as a legitimate systemd-managed process.</li>
<li>The detached malicious payload executes, performing its intended actions such as establishing command and control, downloading further stages, escalating privileges, or exfiltrating data.</li>
<li>The attacker might configure persistence mechanisms within the transient unit definition or by other means, ensuring continued access even after the initial session ends.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If successful, attacks employing <code>systemd-run</code> for proxy execution can lead to significant compromises. Adversaries can execute arbitrary commands, establish covert persistence, download additional malicious tooling, or exfiltrate sensitive data without being easily detected through conventional process monitoring. The use of detached, transient units complicates forensic analysis and incident response by obfuscating the true origin and nature of the malicious processes. This can result in full system compromise, severe data breaches, unauthorized privilege escalation, or lateral movement across the network, making remediation challenging and prolonged.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Potential Proxy Execution via Systemd-run&quot; in this brief to your SIEM and tune for your environment.</li>
<li>When triggered by the Sigma rule, reconstruct the full process tree around the <code>systemd-run</code> event to determine which user, shell, script, service, or remote access session invoked it.</li>
<li>Review the exact command passed through <code>systemd-run</code>, including flags such as <code>--user</code>, <code>--scope</code>, scheduling options, or custom unit names, to classify the spawned payload as expected or suspicious.</li>
<li>Isolate any affected Linux host from the network immediately, and terminate the malicious <code>systemd-run</code> transient unit or scope along with any child processes it launched.</li>
<li>Remove attacker persistence by deleting unauthorized unit files and drop-ins from <code>/etc/systemd/system/</code>, <code>/run/systemd/transient/</code>, <code>/var/lib/systemd/</code>, and affected users’ <code>~/.config/systemd/user/</code> directories.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>defense-evasion</category><category>execution</category><category>linux</category></item></channel></rss>