Adversaries may be attempting to modify or execute a suspicious service file to establish persistence or escalate privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of critical system services.
Detection Rule
title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
- attack.defense-evasion
- attack.t1070.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains: ' -t '
CommandLine|endswith: '.service'
condition: selection
falsepositives:
- Admin changing date of files.
level: medium
imProcessCreate
| where TargetProcessName endswith "/touch" and TargetProcessCommandLine contains " -t " and TargetProcessCommandLine endswith ".service"Scenario: A system administrator is manually updating the service configuration file using a text editor like nano or vim.
Filter/Exclusion: Exclude processes initiated by known admin users (e.g., root, admin, or users in the sudo group) or filter by command-line arguments that indicate manual editing (e.g., nano, vim, gedit).
Scenario: A scheduled job (e.g., cron job or systemd timer) is configured to periodically check or update the service file as part of routine maintenance.
Filter/Exclusion: Exclude processes associated with known scheduling tools like cron, systemd, or at, and filter by job names or paths that are known to be legitimate maintenance scripts.
Scenario: A legitimate security tool (e.g., Tripwire, OSSEC, or AIDE) is performing an integrity check and modifying the service file as part of its audit process.
Filter/Exclusion: Exclude processes that match the known process names or paths of security tools, or filter by user IDs associated with these tools (e.g., security, audit, or logwatch).
Scenario: A developer is using a configuration management tool like Ansible, Chef, or Puppet to deploy or update the service file across multiple servers.
Filter/Exclusion: Exclude processes initiated by configuration management tools, or filter by user IDs or command-line arguments that indicate automated deployment (e.g., ansible, chef-client, puppet).
Scenario: A system update or patching process (e.g., via yum, apt, or dnf) modifies the service file as part of a package upgrade.
Filter/Exclusion: Exclude processes associated with package managers (e.g., yum, apt, `dn