From 5ae267e32619edcd393df84fa65c07cbaf48ebda Mon Sep 17 00:00:00 2001
From: mrblacyk <kweinzettl@gmail.com>
Date: Wed, 23 Oct 2019 11:21:19 -0700
Subject: [PATCH] Linux systemd reload or start rule (T1501)

---
 rules/linux/lnx_pers_systemd_reload.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/linux/lnx_pers_systemd_reload.yml

diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml
new file mode 100644
index 000000000..56289e899
--- /dev/null
+++ b/rules/linux/lnx_pers_systemd_reload.yml
@@ -0,0 +1,24 @@
+title: Systemd service reload or start
+description: Detects a reload or a start of a service
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1501
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+detection:
+    selection1:
+        - 'systemctl'
+    selection2:
+        - 'daemon-reload'
+        - 'start'
+    # systemctl AND (daemon-reload OR start)
+    condition: selection1 and selection2
+falsepositives:
+    - Installation of legitimate service
+level: low
+references:
+    - https://attack.mitre.org/techniques/T1501/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml