
Summary
Detects creation or renaming of new Systemd unit override configuration files (override.conf drops) in standard Systemd service directories, including both system-wide and user-specific paths. These override drop-ins can alter ExecStart, ExecStartPre, OnCalendar, Environment, User, WorkingDirectory, or WantedBy directives, enabling persistence or privilege escalation by launching malicious commands or timers on startup or at scheduled intervals, while preserving the original unit. The rule matches file creation or rename events for files with .conf extensions located under common drop-in locations such as /etc/systemd/system/*.d/*.conf, /etc/systemd/user/*.d/*.conf, and equivalent paths, while excluding known trusted package or container runtimes. It supports detection across Linux hosts and aligns with MITRE techniques for creating or modifying system processes (T1543.002) and persistence/privilege escalation (TA0003/TA0004). The alert includes triage guidance to verify the override’s contents and origin, correlate with systemctl daemon-reload and service state, and identify any additional drop-ins or adversary activity. Remediation focuses on isolating the host, removing malicious override configurations, reverting to baselined unit files, and hardening permissions to prevent unauthorized writes to systemd service directories. This rule is designed for Elastic Defend endpoint monitoring and uses file and process context to distinguish legitimate administrative changes from attacker activity.
Categories
- Endpoint
- Linux
Data Sources
- File
- Process
ATT&CK Techniques
- T1543
- T1543.002
Created: 2026-06-05