Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Sigma rule (View on GitHub)
1title: Systemd Service Creation
2id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
3status: test
4description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
7author: 'Pawel Mazur'
8date: 2022-02-03
9modified: 2022-02-06
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1543.002
14logsource:
15 product: linux
16 service: auditd
17detection:
18 path:
19 type: 'PATH'
20 nametype: 'CREATE'
21 name_1:
22 name|startswith:
23 - '/usr/lib/systemd/system/'
24 - '/etc/systemd/system/'
25 name_2:
26 name|contains: '/.config/systemd/user/'
27 condition: path and 1 of name_*
28falsepositives:
29 - Admin work like legit service installs.
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Service Reload or Start - Linux
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted