T1543.002 Systemd Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SystemdServicePaths = dynamic([
  "/etc/systemd/system/",
  "/lib/systemd/system/",
  "/usr/lib/systemd/system/",
  "/run/systemd/system/",
  ".config/systemd/user/",
  "/etc/systemd/user/"
]);
let SuspiciousServiceNames = dynamic([
  "syslogd", "systemd-network", "systemd-resolve", "kthreadd",
  "netns", "cron2", "update-rc", "sshd2", "rsyslogd"
]);
// Detection 1: New service file created in systemd directories
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (SystemdServicePaths)
| where FileName endswith ".service"
| extend IsUserLevelService = FolderPath contains ".config/systemd/user"
| extend IsSuspiciousName = FileName has_any (SuspiciousServiceNames)
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName,
         IsUserLevelService, IsSuspiciousName
| sort by Timestamp desc
// Detection 2: systemctl enable/start on newly created services
// Uncomment and union with above for broader coverage:
// union (
//   DeviceProcessEvents
//   | where Timestamp > ago(24h)
//   | where FileName =~ "systemctl"
//   | where ProcessCommandLine has_any ("enable", "start", "daemon-reload")
//   | where ProcessCommandLine matches regex @"systemctl.*(enable|start).*\.service"
// )

high severity high confidence

Data Sources

File: File Creation File: File Modification Linux file system events via MDE

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

Splunk

spl

index=linux_logs (sourcetype="linux_auditd" OR sourcetype="auditd")
  action=created OR action=modified OR action=opened
  (object_name="*.service" OR name="*.service")
  (
    object_name="/etc/systemd/*" OR object_name="/lib/systemd/*" OR
    object_name="/usr/lib/systemd/*" OR object_name="/run/systemd/*" OR
    name="/etc/systemd/*" OR name="/lib/systemd/*" OR
    name="/usr/lib/systemd/*" OR name="/run/systemd/*" OR
    name="*.config/systemd/user/*"
  )
| eval ServiceFile=coalesce(object_name, name)
| eval Actor=coalesce(auid, uid, user)
| eval IsRoot=if(Actor="0" OR Actor="root", 1, 0)
| eval SuspiciousName=if(match(ServiceFile, "(syslogd\.service|kthreadd\.service|netns\.service|cron2\.service|systemd-network2\.service|rsyslogd2\.service)"), 1, 0)
| eval UserLevelService=if(match(ServiceFile, "\.config/systemd/user"), 1, 0)
| table _time, host, Actor, IsRoot, action, ServiceFile, SuspiciousName, UserLevelService, exe, comm
| sort - _time

| appendcols [
  search index=linux_logs sourcetype="linux_auditd" comm="systemctl"
    (cmdline="*enable*" OR cmdline="*start*" OR cmdline="*daemon-reload*")
  | eval ServiceAction=cmdline
  | table _time, host, auid, ServiceAction
]

high severity high confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Linux auditd

Required Sourcetypes

linux_auditd auditd

False Positives

Package managers installing software with bundled systemd units
Ansible/Puppet/Chef configuration management deploying legitimate services
Container runtime installations (Docker, Podman) registering systemd socket activation
Developers creating test service units on development hosts
Monitoring agents (Datadog, Elastic Agent, Splunk UF) self-registering as services

Elastic Security (EQL)

eql

any where
  (event.category == "file" and event.type in ("creation","change") and
   file.path : ("/etc/systemd/system/*","/lib/systemd/system/*","/usr/lib/systemd/system/*",
                "/run/systemd/system/*","*/.config/systemd/user/*") and
   file.extension == "service" and
   not process.name : ("dpkg","rpm","apt","yum","systemd","systemctl","ansible*","puppet*","chef*")) or
  (event.category == "process" and event.type == "start" and
   process.name == "systemctl" and
   process.args : ("enable","start","daemon-reload") and
   process.parent.name : ("bash","sh","dash","zsh","python*","perl","ruby","curl","wget"))

high severity high confidence

Data Sources

Linux Endpoint File Events Linux Process Events

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetFilename" as ServiceFile, "Image" as ProcessImage,
  "CommandLine" as CommandLine,
  CASE WHEN "TargetFilename" LIKE '/tmp/%' OR "TargetFilename" LIKE '/var/tmp/%' THEN 10
       WHEN "Image" LIKE '%/curl%' OR "Image" LIKE '%/wget%' THEN 9
       WHEN "Image" LIKE '%systemctl%' AND "CommandLine" LIKE '%enable%' THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE (
  (eventid = 11 AND (
    "TargetFilename" LIKE '/etc/systemd/system/%.service' OR
    "TargetFilename" LIKE '/lib/systemd/system/%.service' OR
    "TargetFilename" LIKE '/usr/lib/systemd/system/%.service'))
  OR (eventid = 1 AND "Image" LIKE '%systemctl%' AND
      ("CommandLine" LIKE '%enable%' OR "CommandLine" LIKE '%start%') AND
      LOWER(coalesce("ParentImage","")) LIKE ANY ('%/bash%','%/sh%','%/python%','%/curl%','%/wget%'))
)
ORDER BY EventTime DESC

high severity high confidence

Data Sources

Sysmon for Linux Event Log

Required Tables

events

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

Sumo Logic CSE

sql

_sourceCategory=linux/sysmon
| json auto
| where EventID in ("1","11")
| eval TargetLower = toLower(coalesce(TargetFilename,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_service_file = if(EventID == "11" AND (
    TargetLower matches "/etc/systemd/system/.*\.service$" OR
    TargetLower matches "/lib/systemd/system/.*\.service$" OR
    TargetLower matches "/usr/lib/systemd/system/.*\.service$"), 1, 0)
| eval is_systemctl = if(EventID == "1" AND ImageLower matches ".*/systemctl$"
    AND CmdLower matches ".*(enable|start).*"
    AND (ParentImage matches ".*(bash|sh|python|curl|wget|ruby).*"), 1, 0)
| where is_service_file == 1 OR is_systemctl == 1
| eval SuspiciousDir = if(TargetLower matches "(/tmp/|/var/tmp/|/dev/shm/)", 1, 0)
| table _time, Computer, User, Image, CommandLine, TargetFilename, ParentImage, is_service_file, is_systemctl, SuspiciousDir
| sort by _time desc

high severity high confidence

Data Sources

Sysmon for Linux via Sumo Logic

Required Tables

linux/sysmon

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

Google Chronicle / SecOps

yaral

rule systemd_service_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects systemd service file creation for persistence (T1543.002)"
    severity = "HIGH"
    tactic = "TA0003"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `(?i)/etc/systemd/system/.*\.service$|/lib/systemd/system/.*\.service$`) nocase
    not re.regex($e.principal.process.file.full_path, `(?i)(dpkg|rpm|apt|yum|systemd|ansible|puppet|chef)`) nocase

  condition:
    $e
}

high severity high confidence

Data Sources

Linux File Events via Chronicle UDM

Required Tables

FILE_CREATION

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /systemctl$/
| CommandLine = /(enable|start|daemon-reload)/i
| ParentBaseFileName = /(bash|sh|dash|python|perl|ruby|curl|wget|nc|ncat)/i
| eval risk = case {
    ParentBaseFileName = /(curl|wget|nc|ncat)/i : "critical";
    ParentBaseFileName = /(python|perl|ruby)/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Process Events (Linux)

Required Tables

ProcessRollup2

False Positives

Package managers (apt, yum, dnf, rpm) installing legitimate software that includes systemd service units
System administrators manually creating or modifying service files for legitimate infrastructure automation
Configuration management tools (Ansible, Chef, Puppet, SaltStack) deploying service configurations
Docker or container runtime installations that register systemd services
Development environments where developers create test services locally

Systemd Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections