kqlElastic-2.0from elastic/detection-rules
Systemd Service Started by Unusual Parent Process
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/persistence_systemd_service_started.toml
host.os.type:linux and event.category:process and event.type:start and event.action:exec and
process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and
process.entry_leader.entry_meta.type:* and
not (
process.entry_leader.entry_meta.type:(container or init or unknown) or
process.parent.pid:1 or
process.parent.executable:(
/bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or
/bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or
/usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or
/usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or
/usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/* or /opt/datadog-agent/embedded/bin/installer or
/opt/saltstack/salt/bin/python* or /opt/puppetlabs/puppet/bin/puppet or /opt/splunkforwarder/bin/splunk or
/opt/puppetlabs/puppet/bin/ruby or /opt/kaspersky/kesl/shared/kesl or /usr/local/bin/cloudflared or
/usr/bin/puppet or /opt/sentinelone/bin/sentinelctl
) or
process.args_count >= 5 or
process.parent.command_line:*ansible*
)