From 24cfc38d53e79461941c5c1eb267f6d17c0210cb Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Sat, 14 Mar 2026 17:17:36 +0530 Subject: [PATCH 1/3] rules: add nursery rule for systemd CLI interaction on Linux --- ...with-systemd-via-command-line-on-linux.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 nursery/interact-with-systemd-via-command-line-on-linux.yml diff --git a/nursery/interact-with-systemd-via-command-line-on-linux.yml b/nursery/interact-with-systemd-via-command-line-on-linux.yml new file mode 100644 index 000000000..10f2d5ca8 --- /dev/null +++ b/nursery/interact-with-systemd-via-command-line-on-linux.yml @@ -0,0 +1,28 @@ +rule: + meta: + name: interact with systemd via command line on Linux + namespace: host-interaction/service + authors: + - akshatpal@users.noreply.github.com + description: detect command-line interaction with systemd services or logs on Linux + scopes: + static: function + dynamic: call + att&ck: + - Discovery::System Service Discovery [T1007] + references: + - https://man7.org/linux/man-pages/man1/systemctl.1.html + - https://man7.org/linux/man-pages/man1/journalctl.1.html + - https://man7.org/linux/man-pages/man1/systemd-run.1.html + features: + - and: + - or: + - os: linux + - os: android + - or: + - match: execute command + - match: create process on Linux + - or: + - string: /\bsystemctl\b/i + - string: /\bjournalctl\b/i + - string: /\bsystemd-run\b/i From 6ad9a2d3f416131cbce5bb3412de9855105e2a04 Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Thu, 19 Mar 2026 22:36:53 +0530 Subject: [PATCH 2/3] changes-req --- .../interact-with-systemd-via-command-line-on-linux.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nursery/interact-with-systemd-via-command-line-on-linux.yml b/nursery/interact-with-systemd-via-command-line-on-linux.yml index 10f2d5ca8..d8377919e 100644 --- a/nursery/interact-with-systemd-via-command-line-on-linux.yml +++ b/nursery/interact-with-systemd-via-command-line-on-linux.yml @@ -3,10 +3,10 @@ rule: name: interact with systemd via command line on Linux namespace: host-interaction/service authors: - - akshatpal@users.noreply.github.com + - akshatpal description: detect command-line interaction with systemd services or logs on Linux scopes: - static: function + static: basic block dynamic: call att&ck: - Discovery::System Service Discovery [T1007] @@ -18,9 +18,9 @@ rule: - and: - or: - os: linux - - os: android - or: - - match: execute command + - api: system + - api: _system - match: create process on Linux - or: - string: /\bsystemctl\b/i From 10fba0d6a0d1616da9d592676594cbf667bb777c Mon Sep 17 00:00:00 2001 From: akshat4703 Date: Mon, 30 Mar 2026 11:30:30 +0530 Subject: [PATCH 3/3] requested-changes --- nursery/interact-with-systemd-via-command-line-on-linux.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/nursery/interact-with-systemd-via-command-line-on-linux.yml b/nursery/interact-with-systemd-via-command-line-on-linux.yml index d8377919e..1be04f480 100644 --- a/nursery/interact-with-systemd-via-command-line-on-linux.yml +++ b/nursery/interact-with-systemd-via-command-line-on-linux.yml @@ -20,7 +20,6 @@ rule: - os: linux - or: - api: system - - api: _system - match: create process on Linux - or: - string: /\bsystemctl\b/i