QLean for IBM Security www.scnsoft.com QRadar SIEM: Admin Guide
MITRE ATT&CK for Linux Platforms
ADMIN GUIDE
© 2020 ScienceSoft| Page 1 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Table of Contents Overview...... 3 Supported Versions ...... 4 Extension Installation ...... 5 Downloading Extension ...... 5 Installing Extension ...... 5 Overview...... 6 Rules overview ...... 6 Rules structure ...... 7 Prerequisites ...... 9 Configuring rsyslog ...... 10 Configuring auditd ...... 11 Usage...... 12 Enable rules ...... 12 Add legitimate Linux users ...... 12 Troubleshooting ...... 14 Appendix A: Release notes...... 15 1.0.0 ...... 15 Appendix B: Custom Properties ...... 16 Appendix C: Custom Rules...... 17
© 2020 ScienceSoft | Page 2 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Overview Linux MITRE ATT&CK tactics from ScienceSoft are based on auditd logs provided by properly configured auditing component. Auditd is a userspace component to the UNIX Auditing System (Audit Daemon) that provides a user with a security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes auditd configuration steps that are to be performed in order for those rules to work. The rules logic is simple and straight forward, and relies mostly on the auditd configuration. While massively tested and tuned, Linux MITRE ATT&CK rules are disabled by default in order to prevent potential false-positives on production SIEM environment, so make sure to enable them after the auditd configuration is done. IMPORTANT: This complimentary content pack is a part of thea full set of Linux MITRE rules developed by ScienceSoft. You can request the full set of the rules as a commercial product including professional services support for auditd configuration and troubleshooting at [email protected].
© 2020 ScienceSoft | Page 3 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Supported Versions Supported QRadar versions are: • 7.3.0 GA and higher
NOTE: this content pack is developed by ScienceSoft Inc. and is not supported by IBM. You can request your own QRadar content pack to be developed via the following email address: [email protected].
© 2020 ScienceSoft | Page 4 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Extension Installation This rules content pack is distributed as a QRadar extension. In order to install this extension please follow the steps below.
Downloading Extension • Go to https://exchange.xforce.ibmcloud.com/hub • Login using your IBMid • Filter by Type: Custom Rule • Select MITRE ATT&CK for Linux Platforms extension • Click Download button at the top right corner • Save the extension zip file
Installing Extension • Login to QRadar UI • Go to Admin tab • Open Extensions Management • Click Add button • Select Install immediately checkbox, click Browse button, locate the extension file downloaded from IBM App Exchange and click Add button • Confirm all the steps and wait for installation to finish. This may take a while. • Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI. • Deploy changes if asked by QRadar
© 2020 ScienceSoft | Page 5 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Overview
Rules overview To get the list of MITRE rules please follow the steps below. • Go to Offense tab • Click Rules link
• Click Group drop-down and select MITRE group.
By default all rules are disabled.
© 2020 ScienceSoft | Page 6 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Rules structure Click any MITRE group rule for more details.
IMPORTANT: In order to make MITRE rules to trigger you must configure auditd for every rule you are interested in. The Notes section of every rule contains a detailed auditd configuration to be performed. IMPORTANT: please scroll down the Notes section to review the whole configuration guide for the rule.
Press Next (3) button to check Rule Response part.
© 2020 ScienceSoft | Page 7 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
This wizard page shows you the CRE event that will be generated when the rule triggers. Event Name field contains the unique id and the name of MITRE tactic. Event Description field contains a short description and a link to this particular tactic at mitre.org
© 2020 ScienceSoft | Page 8 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Prerequisites Following software versions are required for proper configuration of audit settings and forwarding to QRadar:
• audit-1.8.x or higher • rsyslog5-5.8.x or higher Execute following commands to verify versions: For Redhat based distros: # rpm -qa | grep audit # rpm -qa | grep rsyslog Debian based distros: # dpkg -l auditd # dpkg -l rsyslog
If rsyslog is not installed on your system, perform following steps: 1. Execute commands:
a) For Redhat/Centos 5.x, 6.x and 7.x # yum install rsyslog # chkconfig syslog off # chkconfig rsyslog on # service syslog stop # chmod 600 /etc/audisp/plugins.d/syslog.conf
b) For Redhat/Centos/Oracle Linux 8.x ##rsyslog should be already installed,
##if not – type command: ‘yum install rsyslog’ # yum install audispd-plugins
c) For Debian/Ubuntu: # apt install rsyslog # apt install audispd-plugins
2. Disable compatibility mode by editing configuration file: a) For Redhat based distros:
# vi /etc/sysconfig/rsyslog
b) For Debian based distros: # vi /etc/default/rsyslog 3. Insert the following line to the top of the configuration:
SYSLOGD_OPTIONS="-c5"
4. Restart rsyslog daemon
# service rsyslog restart
© 2020 ScienceSoft | Page 9 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Configuring rsyslog Linux Audit Framework (LAF) produces a massive amount of audit events and might greatly affect QRadar EPS license. Advanced LAF audit events filtering allows you to skip the messages that are not involved in QRadar correlation rules. For Redhat/Debian based distros: Add the following lines to /etc/rsyslog.d/audit.conf
################### BEGIN ################## # Advanced Rsyslog audit template for SIEM # ############################################ # This template is used for filtering LAF messages to SIEM solution $EscapeControlCharactersOnReceive off
# Logging template: LAF (make sure is a single line!) $template t_os,"<%pri%>%timegenerated% os-%hostname% msg=%msg:::drop-last-lf%\n"
# Filtered LAF audit messages # ATTENTION: Filtering requires 'auditd' configuration and # '/etc/audit/audit.rules' configuration baseline # with specific key - 'siem' # See more details in the documentation provided :msg,contains,"key=\"siem-" @@
############################ END ########################## where
© 2020 ScienceSoft | Page 10 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Configuring auditd Most of the rules provided with this content pack require auditd daemon configuration.
For Redhat/Debian based distros: In /etc/audit/auditd.conf change log_format to ENRICHED: • log_format = ENRICHED This will provide more details for various audit log fields including usernames, groups and syscalls.
Please follow the instructions in Notes section for every particular rule.
Audit rules can be configured via command line with the auditctl utility or written in the audit.rules file. Note that rules defined with the help of auditctl command are not persistent across reboots.
To define Audit rules that are persistent across reboots, you must include them in the following file: /etc/audit/rules.d/audit.rules
Paste following lines to audit.rules file:
## clean-up -D # put here auditd rules lines from Notes, for example: -w /proc/version -p r -k siem-sys-discovery
Then re-load audit configuration with following command: service auditd force-reload
© 2020 ScienceSoft | Page 11 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Usage
Enable rules Once you are done with auditd configuration for your Linux system, enable the related rule(s) in order to make it work.
Go to Offense->Rules, select a particular rule(s) and click Actions –> Enable.
Add legitimate Linux users Most of the rules do have the following test defined in rule logic: and NOT when any of MITRE-Linux: UID (custom) are contained in any of MITRE: Linux Users - AlphaNumeric (Ignore Case)
Add legitimate user names to the MITRE: Linux Users reference set in order to avoid false-positive offenses. NOTE: Please refer to Appendix C for complete list of rules available in this package.
Map rules to MITRE Techniques via Use Case Manager (Optional) Linux MITRE rules can me mapped to MITRE Techniques with Use Case Manager (UCM) application, which you can get from IBM App Exchange. In order to map techniques, open UCM application, click ATT&CK™ Action button on main page and select Import.
© 2020 ScienceSoft | Page 12 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Click on upload icon and select map file with json extension, then click Import.
You can download a mapping json file from following link https://qlean.io/files/linux_mapping.json or request it via email [email protected].
© 2020 ScienceSoft | Page 13 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Troubleshooting This content package is provided “as-is”. You can provide any suggestions how to make it better and request professional services support for auditd configuration and troubleshooting at [email protected].
© 2020 ScienceSoft | Page 14 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Appendix A: Release notes
1.0.0 Initial version
© 2020 ScienceSoft | Page 15 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Appendix B: Custom Properties Several custom properties are provided in order to enchance auditd events normalization. The custom properties listed below will be installed automatically along with content pack.
Name Description Regex MITRE-Linux: UID User who started the analyzed process. \s+UID="(.+?)"\s+ MITRE-Linux: Auditd Key Auditd Key key="(.+?)" MITRE-Linux: Command command \s+comm="(.+?)"\s+
© 2020 ScienceSoft | Page 16 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Appendix C: Custom Rules Complete list of rules provided with content package: Rule Name Logic Notes BB:MITRE.LIN.T1190: when the event(s) were detected by No action required Public-Facing one or more of Apache HTTP Application Server, NGINX HTTP Server, Squid Web Proxy, Microsoft SQL Server, Oracle Database Listener, Linux OS BB:MITRE.LIN.T1210: when the event(s) were detected by No action required Exploitation of Remote one or more of Linux OS Services AND when the event QID is one of the following (4750045) smbd Message BB:MITRE.LIN.T1212: when the event(s) were detected by No action required Exploitation for one or more of Novell eDirectory, Credential Access Linux OS, Open LDAP Software, Sun ONE LDAP BB:MITRE.LINUX.T1211: when the event(s) were detected by No action required Exploitation for Defense one or more of Cisco Firewall Evasion Services Module (FWSM), Cisco Firepower Management Center, HBGary Active Defense, Microsoft Windows Defender ATP, Radware DefensePro, VMWare AppDefense, Snort Open Source IDS, Juniper vGW, Samhain HIDS, Barracuda Spam & Virus Firewall, Barracuda Web Application Firewall, Cisco ACE Firewall, Cisco PIX Firewall, Configurable Firewall Filter, CyberGuard TSP Firewall/VPN, Juniper Networks Firewall and VPN, Linux iptables Firewall, Nortel Switched Firewall 5100, Nortel Switched Firewall 6000, Radware AppWall, SonicWALL SonicOS, Trend InterScan VirusWall, Venustech Venusense Firewall, Microsoft Endpoint Protection, Palo Alto Endpoint Security Manager, Symantec Endpoint Protection, Trend Micro Deep Discovery Analyzer, Trend Micro Deep Discovery Director, Trend Micro Control Manager, Trend Micro Deep Discovery Email Inspector, Trend Micro Deep Discovery Inspector,
© 2020 ScienceSoft | Page 17 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Trend Micro Deep Security, Trend Micro Office Scan, Resolution1 CyberSecurity, Enterprise-IT- Security.com SF-Sherlock, Amazon AWS Security Hub, Application Security DbProtect, Blue Coat Web Security Service, Blue Coat SG Appliance, Carbon Black, Carbon Black Protection, Cisco AMP, Cisco Cloud Web Security, CyberArk Privileged Threat Analytics, Cyber- Ark Vault, Kaspersky CyberTrace, Extreme NetsightASM, Extreme XSR Security Routers, F5 Networks BIG-IP AFM, F5 Networks BIG-IP APM, F5 Networks BIG-IP ASM, F5 Networks BIG-IP LTM, F5 Networks FirePass, Fidelis XPS, Forcepoint V Series, Forcepoint Sidewinder, Fortinet FortiGate Security Gateway, H3C IP Security Devices, IBM Informix Audit, IBM i, IBM Security Access Manager for Enterprise Single Sign-On, IBM Security Access Manager for Mobile, IBM Security Directory Server, IBM Security Identity Governance, IBM Security Identity Manager, IBM Security Network IPS (GX), IBM Security Privileged Identity Manager, IBM Security Trusteer Apex Advanced Malware Protection, IBM Tivoli Access Manager for e-business, Illumio Adaptive Security Platform, Juniper Networks Intrusion Detection and Prevention (IDP), Juniper Networks Network and Security Manager, Kaspersky Security Center, Onapsis Inc Onapsis Security Platform, Palo Alto PA Series, Proofpoint Enterprise Protection/Enterprise Privacy, Salesforce Security, Salesforce Security Auditing, Skyhigh Networks Cloud Security Platform, Sophos Web Security Appliance, Solaris BSM, Symantec ATP, Symantec Critical System Protection, Symantec DLP, Symantec Encryption Management Server, Symantec Gateway Security (SGS) Appliance, Symantec System
© 2020 ScienceSoft | Page 18 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
Center, Vormetric Data Security, WatchGuard Fireware OS MITRE.LIN.T1002.RULE when the event(s) were detected by Following auditd rules should be Data Compressed one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve - is any of siem-data-compressed F path=/usr/bin/tar-k siem-data- AND NOT when any of MITRE- compressed Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve - any of MITRE: Linux Users - F path=/usr/bin/gzip -k siem-data- AlphaNumeric (Ignore Case) compressed -a exit,always -F arch=b64 -S execve - F path=/usr/bin/zip -k siem-data- compressed
Set correct path for your linux distro (check 'whereis' command)
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1005.RULE when the event(s) were detected by Following auditd rules should be Data from Local System one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -w /usr/bin/cp -p x -k siem-data-from- is any of siem-data-from-local local AND NOT when any of MITRE- -w /usr/bin/dd -p x -k siem-data-from- Linux: UID (custom) are contained in local any of MITRE: Linux Users - AlphaNumeric (Ignore Case) Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1011.RULE when the event(s) were detected by Following auditd rules should be Exfiltration Over Other one or more of Linux OS enabled: Network Medium AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S is any of siem-network-modifications sethostname -S setdomainname -F AND NOT when any of MITRE- auid!=0 -k siem-network-modifications Linux: UID (custom) are contained in -w /etc/hosts -p wa -k siem-network- any of MITRE: Linux Users - modifications AlphaNumeric (Ignore Case) -w /etc/sysconfig/network -p wa -k siem-network-modifications -w /etc/network/ -p wa -k siem- network-modifications -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k siem-network-modifications -w /etc/sysconfig/network -p wa -k siem-network-modifications
Get more Linux MITRE rules:
© 2020 ScienceSoft | Page 19 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1016.RULE when the event(s) were detected by Following auditd rules should be System Network one or more of Linux OS enabled: Configuration Discovery AND when the event matches MITRE-Linux: Auditd Key (custom) -w /etc/hosts -p r -k siem-network- is any of siem-network-discovery discovery AND NOT when any of MITRE- -w /etc/sysconfig/network -p r -k siem- Linux: UID (custom) are contained in network-discovery any of MITRE: Linux Users - -w /etc/network/ -p r -k siem-network- AlphaNumeric (Ignore Case) discovery -a always,exit -F dir=/etc/NetworkManager/ -F perm=r -k siem-network-discovery -w /etc/sysconfig/network -p r -k siem- network-discovery -w /etc/netplan/ -p r -k siem-network- discovery
-w /usr/bin/ip -p x -k siem-network- discovery -w /usr/sbin/ifconfig -p x -k siem- network-discovery -w /usr/bin/nmcli -p x -k siem-network- discovery -w /usr/sbin/route -p x -k siem-network- discovery -w /usr/sbin/arp -p x -k siem-network- discovery
Set correct path for your linux distro (check 'whereis' command)
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1021.RULE when the event(s) were detected by SSH Loggin is enabled in auditd by Remote Services one or more of Linux OS default. AND when the event matches MITRE-Linux: Auditd Key (custom) Add in rsyslog.conf next line: is any of siem-remote-discovery :msg,contains,"type=USER_" AND NOT when the source IP is a @@
© 2020 ScienceSoft | Page 20 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
is any of siem-data-from-share share AND NOT when any of MITRE- Linux: UID (custom) are contained in Where '/path/' is you path to mounted any of MITRE: Linux Users - share (NFS, SMB, etc) AlphaNumeric (Ignore Case) Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1040.RULE when the event(s) were detected by Following auditd rules should be Network Sniffing one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve - is any of siem-network-sniffing F path=/usr/sbin/tcpdump -k siem- AND NOT when any of MITRE- network-sniffing Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve - any of MITRE: Linux Users - F path=/usr/sbin/tshark -k siem- AlphaNumeric (Ignore Case) network-sniffing -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/rawshark -k siem- network-sniffing -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/wireshark -k siem- network-sniffing
Set correct path for your linux distro (check 'whereis' command)
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1049.RULE when the event(s) were detected by Following auditd rules should be System Network one or more of Linux OS enabled: Connections Discovery AND when the event matches MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve - is any of siem-connections- F path=/usr/sbin/lsof -k siem- discovery connections-discovery AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve - Linux: UID (custom) are contained in F path=/usr/bin/netstat -k siem- any of MITRE: Linux Users - connections-discovery AlphaNumeric (Ignore Case) -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/ss -k siem- connections-discovery
Set correct path for your linux distro (check 'whereis' command)
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules
© 2020 ScienceSoft | Page 21 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
MITRE.LIN.T1052.RULE when the event(s) were detected by Following auditd rules should be Exfiltration Over one or more of Linux OS enabled: Physical Medium AND when the event matches MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S is any of siem-mount mount -S umount2 -k siem-mount AND NOT when any of MITRE- Linux: UID (custom) are contained in Get more Linux MITRE rules: any of MITRE: Linux Users - https://www.scnsoft.com/services/secu AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules MITRE.LIN.T1055.RULE when the event(s) were detected by Following auditd rules should be Process Injection one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S ptrace -k is any of siem-process-injection siem-process-injection AND NOT when any of MITRE- -a always,exit -F arch=b64 -S ptrace - Linux: UID (custom) are contained in F a0=0x4 -k siem-process-injection any of MITRE: Linux Users - -a always,exit -F arch=b64 -S ptrace - AlphaNumeric (Ignore Case) F a0=0x5 -k siem-process-injection -a always,exit -F arch=b64 -S ptrace - F a0=0x6 -k siem-process-injection
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1057.RULE when the event(s) were detected by Following auditd rules should be Process Discovery one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve - is any of siem-process-discovery F path=/bin/ps -k siem-process- AND NOT when any of MITRE- discovery Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve - any of MITRE: Linux Users - F path=/usr/bin/top -k siem-process- AlphaNumeric (Ignore Case) discovery -a exit,always -F arch=b64 -S execve - F path=/usr/bin/htop -k siem-process- discovery -a exit,always -F arch=b64 -S execve - F path=/usr/bin/atop -k siem-process- discovery -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/iotop -k siem- process-discovery
Set correct path for your linux distro (check 'whereis' command)
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules
© 2020 ScienceSoft | Page 22 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
MITRE.LIN.T1059.RULE when the event(s) were detected by #WARNING - Can be noisy! Command-Line Interface one or more of Linux OS AND when the event matches Following auditd rules should be MITRE-Linux: Auditd Key (custom) enabled: is any of siem-cmd-interface AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve - Linux: UID (custom) are contained in k siem-cmd-interface any of MITRE: Linux Users - AlphaNumeric (Ignore Case) Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1070.RULE when the event(s) were detected by Following auditd rules should be Indicator Removal on one or more of Linux OS enabled: Host AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S is any of siem-removal-logs rename,rmdir,unlink,unlinkat,renameat AND NOT when any of MITRE- -F uid!=0 -F auid!=-1 -F path=/var/log - Linux: UID (custom) are contained in k siem-removal-logs any of MITRE: Linux Users - -a always,exit -F arch=b64 -S AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat -F uid!=0 -F auid!=-1 -F path=/var/log/
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1072.RULE when the event(s) were detected by Following auditd rules should be Third-party Software one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) # RPM (Redhat/CentOS) is any of siem-package-manager -w /usr/bin/rpm -p x -k siem-package- AND NOT when any of MITRE- manager Linux: UID (custom) are contained in -w /usr/bin/yum -p x -k siem-package- any of MITRE: Linux Users - manager AlphaNumeric (Ignore Case) # YAST/Zypper/RPM (SuSE) -w /sbin/yast -p x -k siem-package- manager -w /sbin/yast2 -p x -k siem-package- manager -w /bin/rpm -p x -k siem-package- manager -w /usr/bin/zypper -k siem-package- manager
# DPKG / APT-GET (Debian/Ubuntu) -w /usr/bin/dpkg -p x -k siem-package- manager -w /usr/bin/apt-add-repository -p x -k siem-package-manager
© 2020 ScienceSoft | Page 23 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
-w /usr/bin/apt-get -p x -k siem- package-manager -w /usr/bin/aptitude -p x -k siem- package-manager
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1078.RULE when the event(s) were detected by #WARNING - Can be noisy! Valid Accounts one or more of Linux OS AND when the event matches Following auditd rules should be MITRE-Linux: Auditd Key (custom) enabled: is any of siem-valid-accounts AND when the source IP is a part of -a always,exit -F arch=b64 -S execve - any of the following F auid!=0 -F key=siem-valid-accounts TrustedNetworks Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1087.RULE when the event(s) were detected by Following auditd rules should be Account Discovery one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a exit,always -F path=/etc/passwd -k is any of siem-account-discovery siem-account-discovery AND NOT when any of MITRE- -a exit,always -F Linux: UID (custom) are contained in path=/etc/master.passwd -k siem- any of MITRE: Linux Users - account-discovery AlphaNumeric (Ignore Case) -a exit,always -F path=/etc/shadow -k siem-account-discovery -a exit,always -F path=/etc/group -k siem-account-discovery -a exit,always -F path=/etc/gshadow -k siem-account-discovery -a exit,always -F path=/etc/security/opasswd -k siem- account-discovery
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux -mitre-attack-rules MITRE.LIN.T1092.RULE when the event(s) were detected by Following auditd rules should be Communication one or more of Linux OS enabled: Through Removable AND when the event matches Media MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S is any of siem-mount mount -S umount2 -k siem-mount AND NOT when any of MITRE- Linux: UID (custom) are contained in Get more Linux MITRE rules: any of MITRE: Linux Users - https://www.scnsoft.com/services/secu AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
© 2020 ScienceSoft | Page 24 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
MITRE.LIN.T1107.RULE when the event(s) were detected by #WARNING - Can be noisy! File Deletion one or more of Linux OS AND when the event matches Following auditd rules should be MITRE-Linux: Auditd Key (custom) enabled: is any of siem-file-delete AND NOT when any of MITRE- -a always,exit -F arch=b64 -S rmdir -S Linux: UID (custom) are contained in unlink -S unlinkat -S rename -S any of MITRE: Linux Users - renameat -F auid!=4294967295 -F AlphaNumeric (Ignore Case) auid!=0 -k siem-file-delete
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1130.RULE when the event(s) were detected by Following auditd rules should be Install Root Certificate one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -w /etc/pki/ca-trust/ -p w -F uid!=0 -k is any of siem-root-cert siem-root-cert AND NOT when any of MITRE- Linux: UID (custom) are contained in Get more Linux MITRE rules: any of MITRE: Linux Users - https://www.scnsoft.com/services/secu AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules MITRE.LIN.T1136.RULE when the event(s) were detected by Following auditd rules should be Create Account one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -w /etc/passwd -p w -k siem-create- is any of siem-create-account account AND NOT when any of MITRE- Linux: UID (custom) are contained in Get more Linux MITRE rules: any of MITRE: Linux Users - https://www.scnsoft.com/services/secu AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules MITRE.LIN.T1145.RULE when the event(s) were detected by Following auditd rules should be Private Keys one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) /home/
Add your folder and files of certification and keys.
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1146.RULE when the event(s) were detected by Following auditd rules should be Clear Command History one or more of Linux OS enabled: AND when the event matches
© 2020 ScienceSoft | Page 25 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S rmdir -S is any of siem-clear-bash unlink -S unlinkat -S rename -S AND when the event matches renameat -F auid=0 -F MITRE-Linux: Command (custom) path=/root/.bash_history -k siem-clear- is not any of bash bash AND NOT when any of MITRE- -w /root/.bash_history -p w -k siem- Linux: UID (custom) are contained in clear-bash any of MITRE: Linux Users - AlphaNumeric (Ignore Case) Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1156.RULE when the event(s) were detected by Following auditd rules should be .bash_profile and one or more of Linux OS enabled: .bashrc AND when the event matches MITRE-Linux: Auditd Key (custom) -w /etc/profile.d/ -p w -k siem-bashrc is any of siem-bashrc -w /etc/profile -p w -k siem-bashrc AND NOT when any of MITRE- -w /etc/shells -p w -k siem-bashrc Linux: UID (custom) are contained in -w /etc/bashrc -p w -k siem-bashrc any of MITRE: Linux Users - -w /etc/csh.cshrc -p w -k siem-bashrc AlphaNumeric (Ignore Case) -w /etc/csh.login -p w -k siem-bashrc -w /root/.bashrc -p w -k siem-bashrc -w /root/.bash_profile -p w -k siem- bashrc -w /home/
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1168.RULE when the event(s) were detected by Following auditd rules should be Local Job Scheduling one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -w /etc/crontab -k siem-scheduling is any of siem-scheduling -w /etc/cron.d/ -k siem-scheduling AND NOT when any of MITRE- -w /var/spool/cron/ -k siem-scheduling Linux: UID (custom) are contained in -w /etc/cron.allow -p wa -k siem- any of MITRE: Linux Users - scheduling AlphaNumeric (Ignore Case) -w /etc/cron.deny -p wa -k siem- scheduling -w /etc/cron.d/ -p wa -k siem- scheduling -w /etc/cron.daily/ -p wa -k siem- scheduling -w /etc/cron.hourly/ -p wa -k siem- scheduling -w /etc/cron.monthly/ -p wa -k siem- scheduling -w /etc/cron.weekly/ -p wa -k siem- scheduling
© 2020 ScienceSoft | Page 26 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
-w /etc/crontab -p wa -k siem- scheduling -w /var/spool/cron/crontabs/ -k siem- scheduling -w /etc/inittab -p wa -k siem-scheduling -w /etc/init.d/ -p wa -k siem-scheduling -w /etc/init/ -p wa -k siem-scheduling -w /etc/anacrontab -p wa -k siem- scheduling
-w /etc/at.allow -p wa -k siem- scheduling -w /etc/at.deny/ -p wa -k siem- scheduling -w /var/spool/at/ -p wa -k siem- scheduling
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1190.RULE when an event matches any of the No action required Exploit Public-Facing following BB:MITRE.LIN.T1190: Get more Linux MITRE rules: Application Public-Facing Application https://www.scnsoft.com/services/secu AND when the source is vulnerable rity/siem/linux-mitre-attack-rules to any exploit on any port MITRE.LIN.T1203.RULE when the event(s) were detected by No action required Exploitation for Client one or more of Linux OS Get more Linux MITRE rules: Execution AND when the source is vulnerable https://www.scnsoft.com/services/secu to any exploit on any port rity/siem/linux-mitre-attack-rules MITRE.LIN.T1210.RULE when an event matches any of the No action required Exploitation of Remote following BB:MITRE.LIN.T1210: Get more Linux MITRE rules: Services Exploitation of Remote Services https://www.scnsoft.com/services/secu AND when the source is vulnerable rity/siem/linux-mitre-attack-rules to any exploit on any port MITRE.LIN.T1211.RULE when an event matches any of the No action required Exploitation for Defense following BB:MITRE.LIN.T1211: Get more Linux MITRE rules: Evasion Exploitation for Defense Evasion https://www.scnsoft.com/services/secu AND when the source is vulnerable rity/siem/linux-mitre-attack-rules to any exploit on any port MITRE.LIN.T1212.RULE when an event matches any of the No action required Exploitation for following BB:MITRE.LIN.T1212: Get more Linux MITRE rules: Credential Access Exploitation for Credential Access https://www.scnsoft.com/services/secu AND when the source is vulnerable rity/siem/linux-mitre-attack-rules to any exploit on any port MITRE.LIN.T1215.RULE when the event(s) were detected by Following auditd rules should be Kernel Modules and one or more of Linux OS enabled: Extensions AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S is any of siem-kernel create_module,init_module,delete_mo
© 2020 ScienceSoft | Page 27 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
AND NOT when any of MITRE- dule,get_kernel_syms,query_module,fi Linux: UID (custom) are contained in nit_module -F key=siem-kernel any of MITRE: Linux Users - AlphaNumeric (Ignore Case) Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1222.RULE when the event(s) were detected by Following auditd rules should be File and Directory one or more of Linux OS enabled: Permissions AND when the event matches Modification MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S chmod - is any of siem-perm-mod F auid!=4294967295 -k siem-perm- AND NOT when any of MITRE- mod Linux: UID (custom) are contained in -a always,exit -F arch=b64 -S chown - any of MITRE: Linux Users - F auid!=4294967295 -k siem-perm- AlphaNumeric (Ignore Case) mod -a always,exit -F arch=b64 -S fchmod - F auid!=4294967295 -k siem-perm- mod -a always,exit -F arch=b64 -S fchmodat -F auid!=4294967295 -k siem-perm-mod -a always,exit -F arch=b64 -S fchown - F auid!=4294967295 -k siem-perm- mod -a always,exit -F arch=b64 -S fchownat -F auid!=4294967295 -k siem-perm-mod -a always,exit -F arch=b64 -S fremovexattr -F auid!=4294967295 -k siem-perm-mod -a always,exit -F arch=b64 -S fsetxattr -F auid!=4294967295 -k siem-perm- mod -a always,exit -F arch=b64 -S lchown - F auid!=4294967295 -k siem-perm- mod -a always,exit -F arch=b64 -S lremovexattr -F auid!=4294967295 -k siem-perm-mod -a always,exit -F arch=b64 -S lsetxattr -F auid!=4294967295 -k siem-perm- mod -a always,exit -F arch=b64 -S removexattr -F auid!=4294967295 -k siem-perm-mod -a always,exit -F arch=b64 -S setxattr - F auid!=4294967295 -k siem-perm- mod
Get more Linux MITRE rules:
© 2020 ScienceSoft | Page 28 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1483.DUMM when the event(s) were detected by Domain Generation Algorithms Y Domain Generation one or more log source types covered by default IBM applications. Algorithms Or you can use our free lightweight application to detect DGA domains. See more on https://www.scnsoft.com/services/secu rity/siem MITRE.LIN.T1485.RULE when the event(s) were detected by Following auditd rules should be Data Destruction one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S is any of siem-destruction rename,rmdir,unlink,unlinkat,renameat AND NOT when any of MITRE- -F auid!=-1 -F dir=/etc -k siem- Linux: UID (custom) are contained in destruction any of MITRE: Linux Users - -a always,exit -F arch=b64 -S AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/bin -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/sbin -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/usr/bin -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/usr/sbin -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/var -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/home -k siem- destruction -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid!=-1 -F dir=/srv -k siem- destruction
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1488.RULE when the event(s) were detected by #WARNING - Can be noisy! Disk Content Wipe one or more of Linux OS AND when MITRE.LIN.T1107.RULE Following auditd rules should be
© 2020 ScienceSoft | Page 29 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
File Deletion match at least 10 times enabled: with the same MITRE-Linux: Auditd Key (custom) in 1 minutes -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid!=4294967295 -k siem-file-delete
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules MITRE.LIN.T1491.RULE when the event(s) were detected by Following auditd rules should be Defacement one or more of Linux OS enabled: AND when the event matches MITRE-Linux: Auditd Key (custom) -w /var/www -p w -F uid!=0 -k siem- is any of siem-defacement defacement AND NOT when any of MITRE- -w /var/www/
#DEBIAN/UBUNTU -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/reboot -k siem-reboot -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/init -k siem-reboot -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/poweroff -k siem- reboot -a exit,always -F arch=b64 -S execve - F path=/usr/sbin/shutdow -k siem- reboot
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules
© 2020 ScienceSoft | Page 30 from 31 MITRE ATT&CK for Linux Platforms for IBM Security QRadar SIEM: Admin Guide
MITRE.LIN.T1531.RULE when the event(s) were detected by Following auditd rules should be Account Access one or more of Linux OS enabled: Removal AND when the event matches MITRE-Linux: Auditd Key (custom) -a always,exit -S all -F is any of siem-usr-access-rem path=/etc/passwd -F perm=w -F uid!=0 AND NOT when any of MITRE- -k siem-usr-access-rem Linux: UID (custom) are contained in -a always,exit -S all -F any of MITRE: Linux Users - path=/etc/shadow -F perm=w -F uid!=0 AlphaNumeric (Ignore Case) -k siem-usr-access-rem
Get more Linux MITRE rules: https://www.scnsoft.com/services/secu rity/siem/linux-mitre-attack-rules
© 2020 ScienceSoft | Page 31 from 31