Persistence (TA0003)(external, opens in a new tab or window)
Privilege Escalation (TA0004)(external, opens in a new tab or window)
text code block:host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and process.entry_leader.entry_meta.type:* and not ( process.entry_leader.entry_meta.type:(container or init or unknown) or process.parent.pid:1 or process.parent.executable:( /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/* or /opt/datadog-agent/embedded/bin/installer or /opt/saltstack/salt/bin/python* or /opt/puppetlabs/puppet/bin/puppet or /opt/splunkforwarder/bin/splunk or /opt/puppetlabs/puppet/bin/ruby or /opt/kaspersky/kesl/shared/kesl or /usr/local/bin/cloudflared or /usr/bin/puppet or /opt/sentinelone/bin/sentinelctl ) or process.args_count >= 5 or process.parent.command_line:*ansible* )
Install detection rules in Elastic Security
Detect Systemd Service Started by Unusual Parent Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).