Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Systemd Service Creation

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pawel MazurCreated Thu Feb 03Updated Sun Feb 061bac86ba-41aa-4f62-9d6b-405eac99b485linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic3 selectors
detection:
    path:
        type: 'PATH'
        nametype: 'CREATE'
    name_1:
        name|startswith:
            - '/usr/lib/systemd/system/'
            - '/etc/systemd/system/'
    name_2:
        name|contains: '/.config/systemd/user/'
    condition: path and 1 of name_*
False Positives

Admin work like legit service installs.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
1bac86ba-41aa-4f62-9d6b-405eac99b485
Status
test
Level
medium
Type
Detection
Created
Thu Feb 03
Modified
Sun Feb 06
Author
Pawel Mazur
Path
rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1543.002
View on GitHub