From b20213400879eae91de285205a384c63d6d6e52b Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <tak.cheraghi@gmail.com>
Date: Sat, 30 Nov 2024 22:46:09 +0330
Subject: [PATCH 1/3] Add a new technique with a service

---
 .../auditd/lnx_auditd_pers_systemd_reload.yml     | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
index 4542567b73f..cf60eca6cae 100644
--- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
+++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
@@ -4,9 +4,9 @@ status: test
 description: Detects a reload or a start of a service.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
-author: Jakob Weinzettl, oscd.community
+author: Jakob Weinzettl, oscd.community, CheraghiMilad
 date: 2019-09-23
-modified: 2021-11-27
+modified: 2024-11-30
 tags:
     - attack.persistence
     - attack.t1543.002
@@ -14,13 +14,20 @@ logsource:
     product: linux
     service: auditd
 detection:
-    selection:
+    selection_systemctl:
         type: 'EXECVE'
         a0|contains: 'systemctl'
         a1|contains:
             - 'daemon-reload'
             - 'start'
-    condition: selection
+    selection_service:
+        type: 'EXECVE'
+        a0|contains: 'systemctl'
+        a1|contains:
+            - 'start'
+            - 'reload'
+            - 'restart'
+    condition: 1 of selection_*
 falsepositives:
     - Installation of legitimate service.
     - Legitimate reconfiguration of service.

From a7bb88b276ea343fcf089bcf59334ff3039248dd Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <tak.cheraghi@gmail.com>
Date: Sun, 8 Dec 2024 11:52:16 +0330
Subject: [PATCH 2/3] The service image has been added - the errors have been
 corrected

---
 .../auditd/lnx_auditd_pers_systemd_reload.yml | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
index cf60eca6cae..193fabdc1ea 100644
--- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
+++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
 author: Jakob Weinzettl, oscd.community, CheraghiMilad
 date: 2019-09-23
-modified: 2024-11-30
+modified: 2024-08-12
 tags:
     - attack.persistence
     - attack.t1543.002
@@ -14,21 +14,18 @@ logsource:
     product: linux
     service: auditd
 detection:
-    selection_systemctl:
+    selection:
         type: 'EXECVE'
-        a0|contains: 'systemctl'
+        a0|contains:
+            - 'systemctl'
+            - 'service'
         a1|contains:
-            - 'daemon-reload'
-            - 'start'
-    selection_service:
-        type: 'EXECVE'
-        a0|contains: 'systemctl'
-        a1|contains:
-            - 'start'
             - 'reload'
+            - 'start'
             - 'restart'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
     - Installation of legitimate service.
     - Legitimate reconfiguration of service.
+    - command line contains daemon-reload.
 level: low

From 220aed33daf7eb7592873426373e8180e226503b Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <tak.cheraghi@gmail.com>
Date: Sun, 8 Dec 2024 11:58:28 +0330
Subject: [PATCH 3/3] Rule falsepositive must start with a capital - fix it

---
 rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
index 193fabdc1ea..59375775f3d 100644
--- a/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
+++ b/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml
@@ -27,5 +27,5 @@ detection:
 falsepositives:
     - Installation of legitimate service.
     - Legitimate reconfiguration of service.
-    - command line contains daemon-reload.
+    - Command line contains daemon-reload.
 level: low