Systemd Service Creation

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Sigma rule (View on GitHub)

 1title: Systemd Service Creation
 2id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
 3status: test
 4description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 7author: 'Pawel Mazur'
 8date: 2022/02/03
 9modified: 2022/02/06
10tags:
11    - attack.persistence
12    - attack.t1543.002
13logsource:
14    product: linux
15    service: auditd
16detection:
17    path:
18        type: 'PATH'
19        nametype: 'CREATE'
20    name_1:
21        name|startswith:
22            - '/usr/lib/systemd/system/'
23            - '/etc/systemd/system/'
24    name_2:
25        name|contains: '/.config/systemd/user/'
26    condition: path and 1 of name_*
27falsepositives:
28    - Admin work like legit service installs.
29level: medium

References

Related rules

to-top