
Summary
This rule detects potential proxy execution via the systemd-run binary on Linux hosts. Attackers may leverage systemd-run to schedule commands in the background or stealthily invoke payloads, enabling execution while attempting to evade detection. The detector watches for process start events where the process name is systemd-run on Linux hosts, and it applies an extensive allowlist to reduce false positives by excluding common legitimate parent processes, known safe paths, and whitelisted parent names. The rule also inspects related fields such as parent executable/name, command_line, and arguments to capture common systemd-run usage patterns used for evasion. It maps to MITRE ATT&CK techniques for Defense Evasion (System Binary Proxy Execution, T1218) and Execution (Command and Scripting Interpreter, T1059, including the Unix Shell subtechnique T1059.004) and acknowledges hijack/execution-flow considerations (T1574). The rule is designed to operate with data from multiple security integrations (Elastic Defend, Auditbeat, Auditd Manager, CrowdStrike, SentinelOne) and within various log sources that capture process start events, providing a cross-sensor signal for suspicious systemd-run usage on Linux endpoints.
Categories
- Linux
- Endpoint
Data Sources
- Process
- Command
- Script
ATT&CK Techniques
- T1218
- T1574
- T1059
- T1059.004
Created: 2026-07-02