LoFP / legitimate reconfiguration of service.

Techniques

• t1543
• t1543.002

Sample rules

Systemd Service Reload or Start

• source: sigma
• technicques:
  • t1543
  • t1543.002

Description

Detects a reload or a start of a service.

Detection logic

condition: selection
selection:
  a0|contains: systemctl
  a1|contains:
  - daemon-reload
  - start
  type: EXECVE