valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
91c4c4ecc5
SigmaHQ/rules/linux/lnx_pers_systemd_reload.yml
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

28 lines
755 B
YAML
Raw Blame History

title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
description: Detects a reload or a start of a service
status: experimental
tags:
- attack.persistence
- attack.t1501
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'systemctl'
a1|contains:
- 'daemon-reload'
- 'start'
condition: selection
falsepositives:
- Installation of legitimate service
- Legitimate reconfiguration of service
level: low
references:
- https://attack.mitre.org/techniques/T1501/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
Reference in New Issue View Git Blame Copy Permalink