DET0253 Detection of Systemd Service Creation or Modification on Linux

Item	Value
ID	DET0253
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543.002 (Systemd Service)

Analytics

Linux

AN0701

Detects the creation or modification of .service unit files in system/user-level directories, combined with execution of systemctl, service, or dynamically created drop-ins via systemd generators. Detects persistence by analyzing the ExecStart path, file entropy, and symlink usage, especially when paired with execution from /tmp, /dev/shm, or unmounted volumes.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	auditd:SYSCALL	write, open, or rename to /etc/systemd/system/*.service
File Modification (DC0061)	auditd:SYSCALL	modification of existing .service file
Command Execution (DC0064)	auditd:SYSCALL	execution of systemctl or service with enable/start parameters
Process Creation (DC0032)	auditd:SYSCALL	fork/exec of service via PID 1 (systemd)
Service Creation (DC0060)	linux:osquery	newly registered unit file with ExecStart pointing to unknown binary

Mutable Elements

Field	Description
ServicePathRegex	Regex filters for systemd unit locations (e.g., `/etc/systemd/system/*.service`, `/lib/systemd/system/`)
ExecStartPathAllowlist	Allowlist of trusted `ExecStart` binary paths (e.g., `/usr/bin/`, `/bin/`)
UserContextFilter	List of usernames that are authorized to define user-level services
FileEntropyThreshold	Entropy level of binaries referenced in `ExecStart` to detect packed or obfuscated payloads
SystemctlOperationSet	Flags suspicious combinations such as `systemctl enable` + `systemctl start` within short interval