Linux MITRE ATTACK Rules

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on the real-world observations. The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

 

 

ScienceSoft is proud to present its vision of the MITRE ATT&CK tactics designed specially for IBM QRadar SIEM as a set of correlation rules ready to be integrated with IBM QRadar just in one click.

ScienceSoft MITRE ATT&CK rules are compliant with MITRE Corporation Terms of Use: https://attack.mitre.org/resources/terms-of-use/

MITRE ATT&CK for Linux Platforms by ScienceSoft

Linux MITRE ATT&CK tactics by ScienceSoft are based on the auditd logs provided by a properly configured auditing component.

Auditd is a user space component in the UNIX Auditing System (Audit Daemon) that provides users with a security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes an auditd configuration instruction that needs to be performed in order to work for those rules. The rules logic is simple and straightforward, and in most cases it relies on the auditd configuration rather than on the IBM QRadar correlation capabilities. This logic can be easily migrated to any SIEM solution of your choice.

Linux MITRE ATT&CK rules are thoroughly tested and tuned, however, they are disabled by default in order to prevent potential false-positives in the production SIEM environment. We recommend enabling them right after the auditd configuration.

There are two packages of Linux MITRE ATT&CK rules provided by ScienceSoft.

The following rules are available for free and can be downloaded from IBM App Exchange: https://exchange.xforce.ibmcloud.com/hub/

Tactic

ID

MITRE DESCRIPTION

Exfiltration

T1002

Data Compressed

Collection

T1005

Data from Local System

Exfiltration

T1011

Exfiltration Over Other Network Medium

Discovery

T1016

System Network Configuration Discovery

Lateral Movement

T1021

Remote Services

Collection

T1039

Data from Network Shared Drive

Credential Access, Discovery

T1040

Network Sniffing

Discovery

T1049

System Network Connections Discovery

Exfiltration

T1052

Exfiltration Over Physical Medium

Defense Evasion, Privilege Escalation

T1055

Process Injection

Discovery

T1057

Process Discovery

Execution

T1059

Command-Line Interface

Defense Evasion

T1070

Indicator Removal on Host

Execution, Lateral Movement

T1072

Third-party Software

Defense Evasion, Persistence, Privilege Escalation, Initial Access

T1078

Valid Accounts

Discovery

T1087

Account Discovery

Command And Control

T1092

Communication Through Removable Media

Defense Evasion

T1107

File Deletion

Defense Evasion

T1130

Install Root Certificate

Persistence

T1136

Create Account

Credential Access

T1145

Private Keys

Defense Evasion

T1146

Clear Command History

Persistence

T1156

.bash_profile and .bashrc

Persistence, Execution

T1168

Local Job Scheduling

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1203

Exploitation for Client Execution

Lateral Movement

T1210

Exploitation of Remote Services

Defense Evasion

T1211

Exploitation for Defense Evasion

Credential Access

T1212

Exploitation for Credential Access

Persistence

T1215

Kernel Modules and Extensions

Defense Evasion

T1222

File and Directory Permissions Modification

Command And Control

T1483

Domain Generation Algorithms

Impact

T1485

Data Destruction

Impact

T1488

Disk Content Wipe

Impact

T1529

System Shutdown/Reboot

Impact

T1531

Account Access Removal

Integrity

T1491

Defacement


The rules below are licensed as a commercial product and can be purchased from ScienceSoft. To learn more, please contact us at qlean@scnsoft.com or send your request via contact form.

Tactic

ID

MITRE DESCRIPTION

Credential Access

T1003

Credential Dumping

Discovery

T1018

Remote System Discovery

Collection

T1025

Data from Removable Media

Discovery

T1033

System Owner/User Discovery

Defense Evasion

T1036

Masquerading

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Discovery

T1069

Permission Groups Discovery

Discovery

T1082

System Information Discovery

Discovery

T1083

File and Directory Discovery

Defense Evasion

T1089

Disabling Security Tools

Defense Evasion

T1099

Timestomp

Persistence, Privilege Escalation

T1100

Web Shell

Credential Access

T1139

Bash History

Privilege Escalation, Persistence

T1166

Setuid and Setgid

Privilege Escalation

T1169

Sudo

Initial Access

T1199

Trusted Relationship

Initial Access

T1200

Hardware Additions

Discovery

T1201

Password Policy Discovery

Defense Evasion, Persistence, Command And Control

T1205

Port Knocking

Privilege Escalation

T1206

Sudo Caching

Command And Control

T1219

Remote Access Tools

Impact

T1487

Disk Structure Wipe

Impact

T1490

Inhibit System Recovery

Impact

T1492

Stored Data Manipulation

Impact

T1494

Runtime Data Manipulation

Defense Evasion

T1500

Compile After Delivery

Persistence

T1501

Systemd Service

Discovery

T1518

Software Discovery

Impact

T1486

Data Encrypted for Impact

Lateral Movement

T1184

SSH Hijacking