splApache-2.0from splunk/security_content
Linux Auditd Service Restarted
The following analytic detects the restarting or re-enabling of services on Linux systems using the `systemctl` or `service` commands. It leverages data from Linux Auditd, focusing on process and command-line execution logs. This activity is significant as adversaries may use it to maintain persistence or execute unauthorized actions. If confirmed malicious, this behavior could lead to repeated execution of malicious payloads, unauthorized access, or data destruction. Security analysts should investigate these events to mitigate risks and prevent further compromise.
Quality
27
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_service_restarted.yml
`linux_auditd` proctitle IN ("*systemctl *", "*service *") AND proctitle IN ("*restart*", "*reenable*", "*reload*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_service_restarted_filter`