SigmaHQ/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml

title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
    - https://attack.mitre.org/techniques/T1543/002/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'systemctl'
        a1|contains:
            - 'daemon-reload'
            - 'start'
    condition: selection
falsepositives:
    - Installation of legitimate service.
    - Legitimate reconfiguration of service.
level: low
tags:
    - attack.persistence
    - attack.t1543.002
Rule fixes Made tests pass the new CI tests. Added further allowed lower case words in rule test. 2020-02-20 22:00:16 +00:00			`title: Systemd Service Reload or Start`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 2625cc59-0634-40d0-821e-cb67382a3dd7`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`status: experimental`
Updated ART reference links from .yaml 2021-07-06 09:39:25 +00:00			`description: Detects a reload or a start of a service.`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`author: Jakob Weinzettl, oscd.community`
			`date: 2019/09/23`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`references:`
			`- https://attack.mitre.org/techniques/T1543/002/`
Updated ART reference links from .yaml 2021-07-06 09:39:25 +00:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`logsource:`
			`product: linux`
Adding auditd compatibility 2019-11-29 08:34:08 +00:00			`service: auditd`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`detection:`
Adding auditd compatibility 2019-11-29 08:34:08 +00:00			`selection:`
			`type: 'EXECVE'`
Update lnx_pers_systemd_reload.yml 2019-12-02 01:54:13 +00:00			`a0\|contains: 'systemctl'`
			`a1\|contains:`
Adding auditd compatibility 2019-11-29 08:34:08 +00:00			`- 'daemon-reload'`
			`- 'start'`
			`condition: selection`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`falsepositives:`
Updated ART reference links from .yaml 2021-07-06 09:39:25 +00:00			`- Installation of legitimate service.`
			`- Legitimate reconfiguration of service.`
Linux systemd reload or start rule (T1501) 2019-10-23 18:21:19 +00:00			`level: low`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`tags:`
			`- attack.persistence`
Updated ART reference links from .yaml 2021-07-06 09:39:25 +00:00			`- attack.t1543.002`