SigmaHQ/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml

title: Systemd Service Reload or Start
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: experimental
description: Detects a reload or a start of a service.
author: Jakob Weinzettl, oscd.community
date: 2019/09/23
references:
    - https://attack.mitre.org/techniques/T1543/002/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'systemctl'
        a1|contains:
            - 'daemon-reload'
            - 'start'
    condition: selection
falsepositives:
    - Installation of legitimate service.
    - Legitimate reconfiguration of service.
level: low
tags:
    - attack.persistence
    - attack.t1543.002