Detects the creation or modification of .service unit files in system/user-level directories, combined with execution of systemctl, service, or dynamically created drop-ins via systemd generators. Detects persistence by analyzing the ExecStart path, file entropy, and symlink usage, especially when paired with execution from /tmp, /dev/shm, or unmounted volumes.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:SYSCALL | write, open, or rename to /etc/systemd/system/*.service |
| File Modification (DC0061) | auditd:SYSCALL | modification of existing .service file |
| Command Execution (DC0064) | auditd:SYSCALL | execution of systemctl or service with enable/start parameters |
| Process Creation (DC0032) | auditd:SYSCALL | fork/exec of service via PID 1 (systemd) |
| Service Creation (DC0060) | linux:osquery | newly registered unit file with ExecStart pointing to unknown binary |
| Field | Description |
|---|---|
| ServicePathRegex | Regex filters for systemd unit locations (e.g., `/etc/systemd/system/*.service`, `/lib/systemd/system/`) |
| ExecStartPathAllowlist | Allowlist of trusted `ExecStart` binary paths (e.g., `/usr/bin/`, `/bin/`) |
| UserContextFilter | List of usernames that are authorized to define user-level services |
| FileEntropyThreshold | Entropy level of binaries referenced in `ExecStart` to detect packed or obfuscated payloads |
| SystemctlOperationSet | Flags suspicious combinations such as `systemctl enable` + `systemctl start` within short interval |