title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 status: experimental description: Detects a reload or a start of a service author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - https://attack.mitre.org/techniques/T1543/002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml logsource: product: linux service: auditd detection: selection: type: 'EXECVE' a0|contains: 'systemctl' a1|contains: - 'daemon-reload' - 'start' condition: selection falsepositives: - Installation of legitimate service - Legitimate reconfiguration of service level: low tags: - attack.persistence - attack.t1543.002