{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hexnode-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Acronis Cyber Protect","autorandr","AWS Replication Agent","BeyondTrust products","ClamScan","Debian Package Manager","DNF","Elephant","Firefox","FortiClient","GDM","GNOME Shell","Google Chrome","Google Cloud Agent","Google Cloud Linux Service","Halcyon Agent","Hexnode Agent","Hyprland","i3-zoom","K3s","K3s Server","Kubernetes","LXD","man-db","NGT Guest Agent","Pamac","Picus Updater","Plesk Task Manager","Ptyxis Agent","QSetup","RPM Package Manager","rpm-ostree","runc","Salt","Salt Minion","SentinelOne Agent","Slack","snapd","systemd","Tableau Server","Thunar","tmux","Tychon Endpoint","Vanta Launcher","xdg-desktop-portal","yay","Zoom"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","execution","linux"],"_cs_type":"advisory","_cs_vendors":["Acronis","Amazon Web Services","BeyondTrust","Canonical","ClamAV","Debian","Elastic","Fortinet","GNOME","Google","Halcyon","Hexnode","Manjaro Development Team","Mozilla","Open Container Initiative","Palo Alto Networks","Picus Security","Plesk","QSetup","Rancher","Red Hat","Saltstack","SentinelOne","Slack","Tableau","Tychon","Vanta","VMware","Xfce","Zoom"],"content_html":"\u003cp\u003eThis threat brief outlines a technique where adversaries utilize the \u003ccode\u003esystemd-run\u003c/code\u003e binary on Linux systems for proxy execution, a method aimed at defense evasion and enabling command execution. \u003ccode\u003esystemd-run\u003c/code\u003e is a legitimate system utility designed to schedule commands for background execution through \u003ccode\u003esystemd\u003c/code\u003e. Attackers can exploit this functionality to run malicious payloads, such as shells, downloaders, or credential-harvesting scripts, as transient services or scopes. This technique allows them to detach their processes, obscure the direct parent-child relationships in the process tree, and mask their activities behind a trusted system utility, significantly reducing visibility for defenders. The technique can be used post-initial access to establish persistence, expand access, or facilitate data exfiltration without directly revealing the true malicious parent process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, often via exploitation of a vulnerable service, compromised credentials, or a successful phishing attempt.\u003c/li\u003e\n\u003cli\u003eAfter establishing a foothold, the attacker performs reconnaissance to understand the environment and identifies \u003ccode\u003esystemd-run\u003c/code\u003e as a potential tool for evading detection.\u003c/li\u003e\n\u003cli\u003eThe attacker stages a malicious payload (e.g., a reverse shell script, a downloader for additional malware, or a credential harvesting tool) onto the compromised system, possibly in a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious payload using \u003ccode\u003esystemd-run\u003c/code\u003e, typically with options like \u003ccode\u003e--user\u003c/code\u003e or \u003ccode\u003e--scope\u003c/code\u003e, to launch it as a transient systemd unit or scope, detaching it from the initiating process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esystemd-run\u003c/code\u003e acts as a proxy, launching the malicious command or script in the background, making it appear as a legitimate systemd-managed process.\u003c/li\u003e\n\u003cli\u003eThe detached malicious payload executes, performing its intended actions such as establishing command and control, downloading further stages, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker might configure persistence mechanisms within the transient unit definition or by other means, ensuring continued access even after the initial session ends.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, attacks employing \u003ccode\u003esystemd-run\u003c/code\u003e for proxy execution can lead to significant compromises. Adversaries can execute arbitrary commands, establish covert persistence, download additional malicious tooling, or exfiltrate sensitive data without being easily detected through conventional process monitoring. The use of detached, transient units complicates forensic analysis and incident response by obfuscating the true origin and nature of the malicious processes. This can result in full system compromise, severe data breaches, unauthorized privilege escalation, or lateral movement across the network, making remediation challenging and prolonged.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Potential Proxy Execution via Systemd-run\u0026quot; in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eWhen triggered by the Sigma rule, reconstruct the full process tree around the \u003ccode\u003esystemd-run\u003c/code\u003e event to determine which user, shell, script, service, or remote access session invoked it.\u003c/li\u003e\n\u003cli\u003eReview the exact command passed through \u003ccode\u003esystemd-run\u003c/code\u003e, including flags such as \u003ccode\u003e--user\u003c/code\u003e, \u003ccode\u003e--scope\u003c/code\u003e, scheduling options, or custom unit names, to classify the spawned payload as expected or suspicious.\u003c/li\u003e\n\u003cli\u003eIsolate any affected Linux host from the network immediately, and terminate the malicious \u003ccode\u003esystemd-run\u003c/code\u003e transient unit or scope along with any child processes it launched.\u003c/li\u003e\n\u003cli\u003eRemove attacker persistence by deleting unauthorized unit files and drop-ins from \u003ccode\u003e/etc/systemd/system/\u003c/code\u003e, \u003ccode\u003e/run/systemd/transient/\u003c/code\u003e, \u003ccode\u003e/var/lib/systemd/\u003c/code\u003e, and affected users’ \u003ccode\u003e~/.config/systemd/user/\u003c/code\u003e directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T14:39:26Z","date_published":"2026-07-06T14:39:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/","summary":"This brief details how attackers may leverage the `systemd-run` utility on Linux systems for defense evasion and execution by running commands as detached, transient services or scopes to obscure their activities and parent-child process chains.","title":"Potential Proxy Execution via Systemd-run on Linux","url":"https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Hexnode Agent","version":"https://jsonfeed.org/version/1.1"}