Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Sigma rule (View on GitHub)
1title: Systemd Service Creation
2id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
3status: test
4description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
7author: 'Pawel Mazur'
8date: 2022-02-03
9modified: 2022-02-06
10tags:
11 - attack.persistence
12 - attack.t1543.002
13logsource:
14 product: linux
15 service: auditd
16detection:
17 path:
18 type: 'PATH'
19 nametype: 'CREATE'
20 name_1:
21 name|startswith:
22 - '/usr/lib/systemd/system/'
23 - '/etc/systemd/system/'
24 name_2:
25 name|contains: '/.config/systemd/user/'
26 condition: path and 1 of name_*
27falsepositives:
28 - Admin work like legit service installs.
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Systemd Service Reload or Start
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted