LoFP / admin work like legit service installs.

Techniques

• t1543
• t1543.002

Sample rules

Systemd Service Creation

• source: sigma
• technicques:
  • t1543
  • t1543.002

Description

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Detection logic

condition: path and 1 of name_*
name_1:
  name|startswith:
  - /usr/lib/systemd/system/
  - /etc/systemd/system/
name_2:
  name|contains: /.config/systemd/user/
path:
  nametype: CREATE
  type: PATH