Detectionlowtest

Service Reload or Start - Linux

Detects the start, reload or restart of a service.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Jakob Weinzettl, oscd.community, CheraghiMiladCreated Mon Sep 23Updated Mon Mar 032625cc59-0634-40d0-821e-cb67382a3dd7linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'systemctl'
            - 'service'
        a1|contains:
            - 'reload'
            - 'start'
    condition: selection

False Positives

Installation of legitimate service.

Legitimate reconfiguration of service.

Command line contains daemon-reload.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1543.002 · Systemd Service

Rule Metadata

Rule ID

2625cc59-0634-40d0-821e-cb67382a3dd7

Status

test

Level

low

Type

Detection

Created

Mon Sep 23

Modified

Mon Mar 03

Author

Jakob Weinzettl, oscd.community, CheraghiMilad

Path

rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1543.002

View on GitHub