| 1 | title: Systemd Service Created in User-Writable or Temp Path |
| 2 | id: d4a5c6f7-0f65-4c8c-a1a7-d4428e73bb05 |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects creation of a systemd unit file outside the standard package-managed locations |
| 6 | or pointing ExecStart at a temp/home path - a common Linux persistence technique. |
| 7 | references: |
| 8 | - https://attack.mitre.org/techniques/T1543/002/ |
| 9 | author: Zion Boggan |
| 10 | date: 2026-05-16 |
| 11 | tags: |
| 12 | - attack.persistence |
| 13 | - attack.t1543.002 |
| 14 | logsource: |
| 15 | product: linux |
| 16 | category: file_event |
| 17 | detection: |
| 18 | selection_unit: |
| 19 | TargetFilename|endswith: '.service' |
| 20 | TargetFilename|contains: |
| 21 | - '/etc/systemd/system/' |
| 22 | - '/.config/systemd/user/' |
| 23 | - '/run/systemd/system/' |
| 24 | filter_pkg: |
| 25 | Image|endswith: |
| 26 | - '/dpkg' |
| 27 | - '/rpm' |
| 28 | - '/apt' |
| 29 | - '/yum' |
| 30 | - '/dnf' |
| 31 | - '/systemctl' |
| 32 | condition: selection_unit and not filter_pkg |
| 33 | falsepositives: |
| 34 | - Admins hand-installing units; baseline known unit deployments. |
| 35 | level: medium |