Scribd
Upload
44 views

ScienceSoftLinuxMITREFreePack UserGuide

This document provides instructions for installing and configuring the MITRE ATT&CK for Linux Platforms extension for QRadar. It includes overview of the rules, supported versions, installation steps, prerequisites for configuring auditd and rsyslog, usage instructions, and troubleshooting information.

Uploaded by

adigozalmurad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
44 views

ScienceSoftLinuxMITREFreePack UserGuide

This document provides instructions for installing and configuring the MITRE ATT&CK for Linux Platforms extension for QRadar. It includes overview of the rules, supported versions, installation steps, prerequisites for configuring auditd and rsyslog, usage instructions, and troubleshooting information.

Uploaded by

adigozalmurad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

QLean for IBM Security

www.scnsoft.com
QRadar SIEM: Admin Guide

MITRE ATT&CK for Linux Platforms

ADMIN GUIDE

© 2020 ScienceSoft| Page 1 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Table of Contents
Overview.....................................................................................................................................3
Supported Versions ...................................................................................................................4
Extension Installation ................................................................................................................5
Downloading Extension ............................................................................................................... 5
Installing Extension ..................................................................................................................... 5
Overview.....................................................................................................................................6
Rules overview........................................................................................................................... 6
Rules structure ........................................................................................................................... 7
Prerequisites ..............................................................................................................................9
Configuring rsyslog ................................................................................................................... 10
Configuring auditd..................................................................................................................... 11
Usage........................................................................................................................................12
Enable rules ............................................................................................................................. 12
Add legitimate Linux users ......................................................................................................... 12
Troubleshooting .......................................................................................................................14
Appendix A: Release notes......................................................................................................15
1.0.0 ................................................................................................................................... 15
Appendix B: Custom Properties ..............................................................................................16
Appendix C: Custom Rules......................................................................................................17

© 2020 ScienceSoft | Page 2 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Overview
Linux MITRE ATT&CK tactics f rom ScienceSoft are based on auditd logs provided by properly configured
auditing component.
Auditd is a userspace component to the UNIX Auditing System (Audit Daemon) that provides a user with a
security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes
auditd configuration steps that are to be performed in order f or those rules to work. The rules logic is simple
and straight forward, and relies mostly on the auditd configuration.
While massively tested and tuned, Linux MITRE ATT&CK rules are disabled by default in order to prevent
potential f alse-positives on production SIEM environment, so make sure to enable them af ter the auditd
conf iguration is done.
IMPORTANT: This complimentary content pack is a part of thea f ull set of Linux MITRE rules developed by
ScienceSoft. You can request the full set of the rules as a commercial product including professional services
support for auditd configuration and troubleshooting at [email protected].

© 2020 ScienceSoft | Page 3 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Supported Versions
Supported QRadar versions are:
• 7.3.0 GA and higher

NOTE: this content pack is developed by ScienceSoft Inc. and is not supported by IBM. You can request your
own QRadar content pack to be developed via the following email address: [email protected].

© 2020 ScienceSoft | Page 4 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Extension Installation
This rules content pack is distributed as a QRadar extension. In order to install this extension please follow
the steps below.

Downloading Extension
• Go to https://exchange.xforce.ibmcloud.com/hub
• Login using your IBMid
• Filter by Type: Custom Rule
• Select MITRE ATT&CK for Linux Platforms extension
• Click Download button at the top right corner
• Save the extension zip file

Installing Extension
• Login to QRadar UI
• Go to Admin tab
• Open Extensions Management
• Click Add button
• Select Install immediately checkbox, click Browse button, locate the extension file downloaded
f rom IBM App Exchange and click Add button
• Conf irm all the steps and wait for installation to finish. This may take a while.
• Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI.
• Deploy changes if asked by QRadar

© 2020 ScienceSoft | Page 5 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Overview
Rules overview
To get the list of MITRE rules please follow the steps below.
• Go to Offense tab
• Click Rules link

• Click Group drop-down and select MITRE group.

By default all rules are disabled.

© 2020 ScienceSoft | Page 6 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Rules structure
Click any MITRE group rule for more details.

IMPORTANT: In order to make MITRE rules to trigger you must configure auditd for every rule you are
interested in. The Notes section of every rule contains a detailed auditd configuration to be performed.
IMPORTANT: please scroll down the Notes section to review the whole configuration guide for the rule.

Press Next (3) button to check Rule Response part.

© 2020 ScienceSoft | Page 7 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

This wizard page shows you the CRE event that will be generated when the rule triggers. Event Name field
contains the unique id and the name of MITRE tactic. Event Description field contains a short description
and a link to this particular tactic at mitre.org

© 2020 ScienceSoft | Page 8 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Prerequisites
Following software versions are required for proper configuration of audit settings and forwarding to QRadar:
• audit-1.8.x or higher
• rsyslog5-5.8.x or higher

Execute following commands to verify versions:


For Redhat based distros:
# rpm -qa | grep audit
# rpm -qa | grep rsyslog

Debian based distros:


# dpkg -l auditd
# dpkg -l rsyslog

If rsyslog is not installed on your system, perform following steps:


1. Execute commands:

a) For Redhat/Centos 5.x, 6.x and 7.x


# yum install rsyslog
# chkconfig syslog off
# chkconfig rsyslog on
# service syslog stop
# chmod 600 /etc/audisp/plugins.d/syslog.conf

b) For Redhat/Centos/Oracle Linux 8.x


##rsyslog should be already installed,

##if not – type command: ‘yum install rsyslog’

# yum install audispd-plugins

c) For Debian/Ubuntu:
# apt install rsyslog
# apt install audispd-plugins

2. Disable compatibility mode by editing configuration file:


a) For Redhat based distros:
# vi /etc/sysconfig/rsyslog

b) For Debian based distros:


# vi /etc/default/rsyslog

3. Insert the f ollowing line to the top of the configuration:


SYSLOGD_OPTIONS="-c5"

4. Restart rsyslog daemon


# service rsyslog restart

© 2020 ScienceSoft | Page 9 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Configuring rsyslog
Linux Audit Framework (LAF) produces a massive amount of audit events and might greatly affect QRadar
EPS license. Advanced LAF audit events f iltering allows you to skip the messages that are not involved in
QRadar correlation rules.
For Redhat/Debian based distros:
Add the following lines to /etc/rsyslog.d/audit.conf
################### BEGIN ##################
# Advanced Rsyslog audit template for SIEM #
############################################
# This template is used for filtering LAF messages to SIEM solution
$EscapeControlCharactersOnReceive off

# Logging template: LAF (make sure is a single line!)


$template t_os,"<%pri%>%timegenerated% os-%hostname% msg=%msg:::drop-last-lf%\n"

# Filtered LAF audit messages


# ATTENTION: Filtering requires 'auditd' configuration and
# '/etc/audit/audit.rules' configuration baseline
# with specific key - 'siem'
# See more details in the documentation provided
:msg,contains,"key=\"siem-" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=EXECVE" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=DAEMON_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=USER_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=ADD_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=DEL_" @@<QRADAR_IP>;t_os
& ~

############################ END ##########################

where <QRADAR_IP> is the IP address of QRadar Event Collector/Processor.


Save and restart rsyslog using the following command:
service rsyslog restart

© 2020 ScienceSoft | Page 10 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Configuring auditd
Most of the rules provided with this content pack require auditd daemon configuration.

For Redhat/Debian based distros:


In /etc/audit/auditd.conf change log_format to ENRICHED:
• log_format = ENRICHED

This will provide more details for various audit log fields including usernames, groups and syscalls.

Please f ollow the instructions in Notes section for every particular rule.

Audit rules can be configured via command line with the auditctl utility or written in the audit.rules file.
Note that rules defined with the help of auditctl command are not persistent across reboots.

To def ine Audit rules that are persistent across reboots, you must include them in the following file:
/etc/audit/rules.d/audit.rules

Paste f ollowing lines to audit.rules file:


## clean-up
-D
# put here auditd rules lines from Notes, for example:
-w /proc/version -p r -k siem-sys-discovery

Then re-load audit configuration with following command:


service auditd force-reload

© 2020 ScienceSoft | Page 11 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Usage
Enable rules
Once you are done with auditd configuration for your Linux system, enable the related rule(s) in order to
make it work.

Go to Offense->Rules, select a particular rule(s) and click Actions –> Enable.

Add legitimate Linux users


Most of the rules do have the following test defined in rule logic:
and NOT when any of MITRE-Linux: UID (custom) are contained in any of MITRE:
Linux Users - AlphaNumeric (Ignore Case)

Add legitimate user names to the MITRE: Linux Users reference set in order to avoid false-positive offenses.
NOTE: Please refer to Appendix C f or complete list of rules available in this package.

Map rules to MITRE Techniques via Use Case Manager (Optional)


Linux MITRE rules can me mapped to MITRE Techniques with Use Case Manager (UCM) application, which
you can get from IBM App Exchange.
In order to map techniques, open UCM application, click ATT&CK™ Action button on main page and select
Import.

© 2020 ScienceSoft | Page 12 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Click on upload icon and select map file with json extension, then click Import.

You can download a mapping json file from following link https://qlean.io/files/linux_mapping.json
or request it via email [email protected].

© 2020 ScienceSoft | Page 13 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Troubleshooting
This content package is provided “as-is”. You can provide any suggestions how to make it better and request
prof essional services support for auditd configuration and troubleshooting at [email protected].

© 2020 ScienceSoft | Page 14 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Appendix A: Release notes


1.0.0
Initial version

© 2020 ScienceSoft | Page 15 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Appendix B: Custom Properties


Several custom properties are provided in order to enchance auditd events normalization. The custom
properties listed below will be installed automatically along with content pack.
Name Description Regex
MITRE-Linux: UID User who started the analyzed process. \s+UID="(.+?)"\s+
MITRE-Linux: Auditd Key Auditd Key key="(.+?)"
MITRE-Linux: Command command \s+comm="(.+?)"\s+

© 2020 ScienceSoft | Page 16 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Appendix C: Custom Rules


Complete list of rules provided with content package:
Rule Name Logic Notes
BB:MITRE.LIN.T1190: when the event(s) were detected by No action required
Public-Facing one or more of Apache HTTP
Application Server, NGINX HTTP Server, Squid
Web Proxy, Microsoft SQL Server,
Oracle Database Listener, Linux OS
BB:MITRE.LIN.T1210: when the event(s) were detected by No action required
Exploitation of Remote one or more of Linux OS
Services AND when the event QID is one of
the f ollowing (4750045) smbd
Message
BB:MITRE.LIN.T1212: when the event(s) were detected by No action required
Exploitation for one or more of Novell eDirectory,
Credential Access Linux OS, Open LDAP Sof tware,
Sun ONE LDAP
BB:MITRE.LINUX.T1211: when the event(s) were detected by No action required
Exploitation for Defense one or more of Cisco Firewall
Evasion Services Module (FWSM), Cisco
Firepower Management Center,
HBGary Active Def ense, Microsoft
Windows Def ender ATP, Radware
Def ensePro, VMWare AppDefense,
Snort Open Source IDS, Juniper
vGW, Samhain HIDS, Barracuda
Spam &amp; Virus Firewall,
Barracuda Web Application Firewall,
Cisco ACE Firewall, Cisco PIX
Firewall, Conf igurable Firewall
Filter, CyberGuard TSP
Firewall/VPN, Juniper Networks
Firewall and VPN, Linux iptables
Firewall, Nortel Switched Firewall
5100, Nortel Switched Firewall
6000, Radware AppWall,
SonicWALL SonicOS, Trend
InterScan VirusWall, Venustech
Venusense Firewall, Microsoft
Endpoint Protection, Palo Alto
Endpoint Security Manager,
Symantec Endpoint Protection,
Trend Micro Deep Discovery
Analyzer, Trend Micro Deep
Discovery Director, Trend Micro
Control Manager, Trend Micro Deep
Discovery Email Inspector, Trend
Micro Deep Discovery Inspector,

© 2020 ScienceSoft | Page 17 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Trend Micro Deep Security, Trend


Micro Of f ice Scan, Resolution1
CyberSecurity, Enterprise-IT-
Security.com SF-Sherlock, Amazon
AWS Security Hub, Application
Security DbProtect, Blue Coat Web
Security Service, Blue Coat SG
Appliance, Carbon Black, Carbon
Black Protection, Cisco AMP, Cisco
Cloud Web Security, CyberArk
Privileged Threat Analytics, Cyber-
Ark Vault, Kaspersky CyberTrace,
Extreme NetsightASM, Extreme
XSR Security Routers, F5 Networks
BIG-IP AFM, F5 Networks BIG-IP
APM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, F5 Networks
FirePass, Fidelis XPS, Forcepoint V
Series, Forcepoint Sidewinder,
Fortinet FortiGate Security
Gateway, H3C IP Security Devices,
IBM Inf ormix Audit, IBM i, IBM
Security Access Manager for
Enterprise Single Sign-On, IBM
Security Access Manager for
Mobile, IBM Security Directory
Server, IBM Security Identity
Governance, IBM Security Identity
Manager, IBM Security Network IPS
(GX), IBM Security Privileged
Identity Manager, IBM Security
Trusteer Apex Advanced Malware
Protection, IBM Tivoli Access
Manager f or e-business, Illumio
Adaptive Security Platform, Juniper
Networks Intrusion Detection and
Prevention (IDP), Juniper Networks
Network and Security Manager,
Kaspersky Security Center, Onapsis
Inc Onapsis Security Platform, Palo
Alto PA Series, Proofpoint
Enterprise Protection/Enterprise
Privacy, Salesf orce Security,
Salesf orce Security Auditing,
Skyhigh Networks Cloud Security
Platf orm, Sophos Web Security
Appliance, Solaris BSM, Symantec
ATP, Symantec Critical System
Protection, Symantec DLP,
Symantec Encryption Management
Server, Symantec Gateway Security
(SGS) Appliance, Symantec System

© 2020 ScienceSoft | Page 18 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

Center, Vormetric Data Security,


WatchGuard Fireware OS
MITRE.LIN.T1002.RULE when the event(s) were detected by Following auditd rules should be
Data Compressed one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve -
is any of siem-data-compressed F path=/usr/bin/tar-k siem-data-
AND NOT when any of MITRE- compressed
Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve -
any of MITRE: Linux Users - F path=/usr/bin/gzip -k siem-data-
AlphaNumeric (Ignore Case) compressed
-a exit,always -F arch=b64 -S execve -
F path=/usr/bin/zip -k siem-data-
compressed

Set correct path for your linux distro


(check 'whereis' command)

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1005.RULE when the event(s) were detected by Following auditd rules should be
Data from Local System one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /usr/bin/cp -p x -k siem-data-from-
is any of siem-data-from-local local
AND NOT when any of MITRE- -w /usr/bin/dd -p x -k siem-data-from-
Linux: UID (custom) are contained in local
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1011.RULE when the event(s) were detected by Following auditd rules should be
Exfiltration Over Other one or more of Linux OS enabled:
Network Medium AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S
is any of siem-network-modifications sethostname -S setdomainname -F
AND NOT when any of MITRE- auid!=0 -k siem-network-modifications
Linux: UID (custom) are contained in -w /etc/hosts -p wa -k siem-network-
any of MITRE: Linux Users - modifications
AlphaNumeric (Ignore Case) -w /etc/sysconfig/network -p wa -k
siem-network-modifications
-w /etc/network/ -p wa -k siem-
network-modifications
-a always,exit -F
dir=/etc/NetworkManager/ -F perm=wa
-k siem-network-modifications
-w /etc/sysconfig/network -p wa -k
siem-network-modifications

Get more Linux MITRE rules:

© 2020 ScienceSoft | Page 19 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1016.RULE when the event(s) were detected by Following auditd rules should be
System Network one or more of Linux OS enabled:
Configuration Discovery AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/hosts -p r -k siem-network-
is any of siem-network-discovery discovery
AND NOT when any of MITRE- -w /etc/sysconfig/network -p r -k siem-
Linux: UID (custom) are contained in network-discovery
any of MITRE: Linux Users - -w /etc/network/ -p r -k siem-network-
AlphaNumeric (Ignore Case) discovery
-a always,exit -F
dir=/etc/NetworkManager/ -F perm=r -k
siem-network-discovery
-w /etc/sysconfig/network -p r -k siem-
network-discovery
-w /etc/netplan/ -p r -k siem-network-
discovery

-w /usr/bin/ip -p x -k siem-network-
discovery
-w /usr/sbin/ifconfig -p x -k siem-
network-discovery
-w /usr/bin/nmcli -p x -k siem-network-
discovery
-w /usr/sbin/route -p x -k siem-network-
discovery
-w /usr/sbin/arp -p x -k siem-network-
discovery

Set correct path for your linux distro


(check 'whereis' command)

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1021.RULE when the event(s) were detected by SSH Loggin is enabled in auditd by
Remote Services one or more of Linux OS def ault.
AND when the event matches
MITRE-Linux: Auditd Key (custom) Add in rsyslog.conf next line:
is any of siem-remote-discovery :msg,contains,"type=USER_"
AND NOT when the source IP is a @@<qradar_ip>;t_os
part of any of the f ollowing &~
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1039.RULE when the event(s) were detected by Following auditd rules should be
Data from Network one or more of Linux OS enabled:
Shared Drive AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /<path>/ -p r -k siem-data-from-

© 2020 ScienceSoft | Page 20 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

is any of siem-data-from-share share


AND NOT when any of MITRE-
Linux: UID (custom) are contained in Where '/path/' is you path to mounted
any of MITRE: Linux Users - share (NFS, SMB, etc)
AlphaNumeric (Ignore Case)
Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1040.RULE when the event(s) were detected by Following auditd rules should be
Network Sniffing one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve -
is any of siem-network-sniffing F path=/usr/sbin/tcpdump -k siem-
AND NOT when any of MITRE- network-sniffing
Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve -
any of MITRE: Linux Users - F path=/usr/sbin/tshark -k siem-
AlphaNumeric (Ignore Case) network-sniffing
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/rawshark -k siem-
network-sniffing
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/wireshark -k siem-
network-sniffing

Set correct path for your linux distro


(check 'whereis' command)

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1049.RULE when the event(s) were detected by Following auditd rules should be
System Network one or more of Linux OS enabled:
Connections Discovery AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve -
is any of siem-connections- F path=/usr/sbin/lsof -k siem-
discovery connections-discovery
AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve -
Linux: UID (custom) are contained in F path=/usr/bin/netstat -k siem-
any of MITRE: Linux Users - connections-discovery
AlphaNumeric (Ignore Case) -a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/ss -k siem-
connections-discovery

Set correct path for your linux distro


(check 'whereis' command)

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules

© 2020 ScienceSoft | Page 21 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

MITRE.LIN.T1052.RULE when the event(s) were detected by Following auditd rules should be
Exfiltration Over one or more of Linux OS enabled:
Physical Medium AND when the event matches
MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S
is any of siem-mount mount -S umount2 -k siem-mount
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1055.RULE when the event(s) were detected by Following auditd rules should be
Process Injection one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S ptrace -k
is any of siem-process-injection siem-process-injection
AND NOT when any of MITRE- -a always,exit -F arch=b64 -S ptrace -
Linux: UID (custom) are contained in F a0=0x4 -k siem-process-injection
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S ptrace -
AlphaNumeric (Ignore Case) F a0=0x5 -k siem-process-injection
-a always,exit -F arch=b64 -S ptrace -
F a0=0x6 -k siem-process-injection

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1057.RULE when the event(s) were detected by Following auditd rules should be
Process Discovery one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve -
is any of siem-process-discovery F path=/bin/ps -k siem-process-
AND NOT when any of MITRE- discovery
Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve -
any of MITRE: Linux Users - F path=/usr/bin/top -k siem-process-
AlphaNumeric (Ignore Case) discovery
-a exit,always -F arch=b64 -S execve -
F path=/usr/bin/htop -k siem-process-
discovery
-a exit,always -F arch=b64 -S execve -
F path=/usr/bin/atop -k siem-process-
discovery
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/iotop -k siem-
process-discovery

Set correct path for your linux distro


(check 'whereis' command)

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules

© 2020 ScienceSoft | Page 22 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

MITRE.LIN.T1059.RULE when the event(s) were detected by #WARNING - Can be noisy!


Command-Line Interface one or more of Linux OS
AND when the event matches Following auditd rules should be
MITRE-Linux: Auditd Key (custom) enabled:
is any of siem-cmd-interface
AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve -
Linux: UID (custom) are contained in k siem-cmd-interface
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1070.RULE when the event(s) were detected by Following auditd rules should be
Indicator Removal on one or more of Linux OS enabled:
Host AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S
is any of siem-removal-logs rename,rmdir,unlink,unlinkat,renameat
AND NOT when any of MITRE- -F uid!=0 -F auid!=-1 -F path=/var/log -
Linux: UID (custom) are contained in k siem-removal-logs
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S
AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat
-F uid!=0 -F auid!=-1 -F
path=/var/log/<folder> -k siem-
removal-logs

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1072.RULE when the event(s) were detected by Following auditd rules should be
Third-party Software one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) # RPM (Redhat/CentOS)
is any of siem-package-manager -w /usr/bin/rpm -p x -k siem-package-
AND NOT when any of MITRE- manager
Linux: UID (custom) are contained in -w /usr/bin/yum -p x -k siem-package-
any of MITRE: Linux Users - manager
AlphaNumeric (Ignore Case)
# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k siem-package-
manager
-w /sbin/yast2 -p x -k siem-package-
manager
-w /bin/rpm -p x -k siem-package-
manager
-w /usr/bin/zypper -k siem-package-
manager

# DPKG / APT-GET (Debian/Ubuntu)


-w /usr/bin/dpkg -p x -k siem-package-
manager
-w /usr/bin/apt-add-repository -p x -k
siem-package-manager

© 2020 ScienceSoft | Page 23 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

-w /usr/bin/apt-get -p x -k siem-
package-manager
-w /usr/bin/aptitude -p x -k siem-
package-manager

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1078.RULE when the event(s) were detected by #WARNING - Can be noisy!
Valid Accounts one or more of Linux OS
AND when the event matches Following auditd rules should be
MITRE-Linux: Auditd Key (custom) enabled:
is any of siem-valid-accounts
AND when the source IP is a part of -a always,exit -F arch=b64 -S execve -
any of the f ollowing F auid!=0 -F key=siem-valid-accounts
TrustedNetworks
Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1087.RULE when the event(s) were detected by Following auditd rules should be
Account Discovery one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F path=/etc/passwd -k
is any of siem-account-discovery siem-account-discovery
AND NOT when any of MITRE- -a exit,always -F
Linux: UID (custom) are contained in path=/etc/master.passwd -k siem-
any of MITRE: Linux Users - account-discovery
AlphaNumeric (Ignore Case) -a exit,always -F path=/etc/shadow -k
siem-account-discovery
-a exit,always -F path=/etc/group -k
siem-account-discovery
-a exit,always -F path=/etc/gshadow -k
siem-account-discovery
-a exit,always -F
path=/etc/security/opasswd -k siem-
account-discovery

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1092.RULE when the event(s) were detected by Following auditd rules should be
Communication one or more of Linux OS enabled:
Through Removable AND when the event matches
Media MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S
is any of siem-mount mount -S umount2 -k siem-mount
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules

© 2020 ScienceSoft | Page 24 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

MITRE.LIN.T1107.RULE when the event(s) were detected by #WARNING - Can be noisy!


File Deletion one or more of Linux OS
AND when the event matches Following auditd rules should be
MITRE-Linux: Auditd Key (custom) enabled:
is any of siem-f ile-delete
AND NOT when any of MITRE- -a always,exit -F arch=b64 -S rmdir -S
Linux: UID (custom) are contained in unlink -S unlinkat -S rename -S
any of MITRE: Linux Users - renameat -F auid!=4294967295 -F
AlphaNumeric (Ignore Case) auid!=0 -k siem-file-delete

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1130.RULE when the event(s) were detected by Following auditd rules should be
Install Root Certificate one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/pki/ca-trust/ -p w -F uid!=0 -k
is any of siem-root-cert siem-root-cert
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1136.RULE when the event(s) were detected by Following auditd rules should be
Create Account one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/passwd -p w -k siem-create-
is any of siem-create-account account
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1145.RULE when the event(s) were detected by Following auditd rules should be
Private Keys one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) /home/<user>/.ssh/ -p r -k siem-
is any of siem-private-keys private-keys
AND NOT when any of MITRE- /etc/ssl/certs/ -p r -k siem-private-keys
Linux: UID (custom) are contained in /etc/pki/ca-trust/extracted/pem/ -p r -k
any of MITRE: Linux Users - siem-private-keys
AlphaNumeric (Ignore Case) /etc/pki/tls/ -p -r -k siem-private-keys

Add your folder and files of certification


and keys.

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1146.RULE when the event(s) were detected by Following auditd rules should be
Clear Command History one or more of Linux OS enabled:
AND when the event matches

© 2020 ScienceSoft | Page 25 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S rmdir -S


is any of siem-clear-bash unlink -S unlinkat -S rename -S
AND when the event matches renameat -F auid=0 -F
MITRE-Linux: Command (custom) path=/root/.bash_history -k siem-clear-
is not any of bash bash
AND NOT when any of MITRE- -w /root/.bash_history -p w -k siem-
Linux: UID (custom) are contained in clear-bash
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1156.RULE when the event(s) were detected by Following auditd rules should be
.bash_profile and one or more of Linux OS enabled:
.bashrc AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/profile.d/ -p w -k siem-bashrc
is any of siem-bashrc -w /etc/profile -p w -k siem-bashrc
AND NOT when any of MITRE- -w /etc/shells -p w -k siem-bashrc
Linux: UID (custom) are contained in -w /etc/bashrc -p w -k siem-bashrc
any of MITRE: Linux Users - -w /etc/csh.cshrc -p w -k siem-bashrc
AlphaNumeric (Ignore Case) -w /etc/csh.login -p w -k siem-bashrc
-w /root/.bashrc -p w -k siem-bashrc
-w /root/.bash_profile -p w -k siem-
bashrc
-w /home/<user>/.bashrc -p w -k siem-
bashrc
-w /home/<user>/.bash_profile -p w -k
siem-bashrc

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1168.RULE when the event(s) were detected by Following auditd rules should be
Local Job Scheduling one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/crontab -k siem-scheduling
is any of siem-scheduling -w /etc/cron.d/ -k siem-scheduling
AND NOT when any of MITRE- -w /var/spool/cron/ -k siem-scheduling
Linux: UID (custom) are contained in -w /etc/cron.allow -p wa -k siem-
any of MITRE: Linux Users - scheduling
AlphaNumeric (Ignore Case) -w /etc/cron.deny -p wa -k siem-
scheduling
-w /etc/cron.d/ -p wa -k siem-
scheduling
-w /etc/cron.daily/ -p wa -k siem-
scheduling
-w /etc/cron.hourly/ -p wa -k siem-
scheduling
-w /etc/cron.monthly/ -p wa -k siem-
scheduling
-w /etc/cron.weekly/ -p wa -k siem-
scheduling

© 2020 ScienceSoft | Page 26 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

-w /etc/crontab -p wa -k siem-
scheduling
-w /var/spool/cron/crontabs/ -k siem-
scheduling
-w /etc/inittab -p wa -k siem-scheduling
-w /etc/init.d/ -p wa -k siem-scheduling
-w /etc/init/ -p wa -k siem-scheduling
-w /etc/anacrontab -p wa -k siem-
scheduling

-w /etc/at.allow -p wa -k siem-
scheduling
-w /etc/at.deny/ -p wa -k siem-
scheduling
-w /var/spool/at/ -p wa -k siem-
scheduling

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1190.RULE when an event matches any of the No action required
Exploit Public-Facing f ollowing BB:MITRE.LIN.T1190: Get more Linux MITRE rules:
Application Public-Facing Application https://www.scnsoft.com/services/secu
AND when the source is vulnerable rity/siem/linux-mitre-attack-rules
to any exploit on any port
MITRE.LIN.T1203.RULE when the event(s) were detected by No action required
Exploitation for Client one or more of Linux OS Get more Linux MITRE rules:
Execution AND when the source is vulnerable https://www.scnsoft.com/services/secu
to any exploit on any port rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1210.RULE when an event matches any of the No action required
Exploitation of Remote f ollowing BB:MITRE.LIN.T1210: Get more Linux MITRE rules:
Services Exploitation of Remote Services https://www.scnsoft.com/services/secu
AND when the source is vulnerable rity/siem/linux-mitre-attack-rules
to any exploit on any port
MITRE.LIN.T1211.RULE when an event matches any of the No action required
Exploitation for Defense f ollowing BB:MITRE.LIN.T1211: Get more Linux MITRE rules:
Evasion Exploitation f or Def ense Evasion https://www.scnsoft.com/services/secu
AND when the source is vulnerable rity/siem/linux-mitre-attack-rules
to any exploit on any port
MITRE.LIN.T1212.RULE when an event matches any of the No action required
Exploitation for f ollowing BB:MITRE.LIN.T1212: Get more Linux MITRE rules:
Credential Access Exploitation f or Credential Access https://www.scnsoft.com/services/secu
AND when the source is vulnerable rity/siem/linux-mitre-attack-rules
to any exploit on any port
MITRE.LIN.T1215.RULE when the event(s) were detected by Following auditd rules should be
Kernel Modules and one or more of Linux OS enabled:
Extensions AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S
is any of siem-kernel create_module,init_module,delete_mo

© 2020 ScienceSoft | Page 27 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

AND NOT when any of MITRE- dule,get_kernel_syms,query_module,fi


Linux: UID (custom) are contained in nit_module -F key=siem-kernel
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1222.RULE when the event(s) were detected by Following auditd rules should be
File and Directory one or more of Linux OS enabled:
Permissions AND when the event matches
Modification MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S chmod -
is any of siem-perm-mod F auid!=4294967295 -k siem-perm-
AND NOT when any of MITRE- mod
Linux: UID (custom) are contained in -a always,exit -F arch=b64 -S chown -
any of MITRE: Linux Users - F auid!=4294967295 -k siem-perm-
AlphaNumeric (Ignore Case) mod
-a always,exit -F arch=b64 -S fchmod -
F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S
f chmodat -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S fchown -
F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S
f chownat -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S
f removexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S fsetxattr
-F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S lchown -
F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S
lremovexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S lsetxattr
-F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S
removexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S setxattr -
F auid!=4294967295 -k siem-perm-
mod

Get more Linux MITRE rules:

© 2020 ScienceSoft | Page 28 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1483.DUMM when the event(s) were detected by Domain Generation Algorithms
Y Domain Generation one or more log source types covered by default IBM applications.
Algorithms Or you can use our free lightweight
application to detect DGA domains.
See more on
https://www.scnsoft.com/services/secu
rity/siem
MITRE.LIN.T1485.RULE when the event(s) were detected by Following auditd rules should be
Data Destruction one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S
is any of siem-destruction rename,rmdir,unlink,unlinkat,renameat
AND NOT when any of MITRE- -F auid!=-1 -F dir=/etc -k siem-
Linux: UID (custom) are contained in destruction
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S
AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/bin -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/sbin -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/usr/bin -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/usr/sbin -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/var -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/home -k siem-
destruction
-a always,exit -F arch=b64 -S
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/srv -k siem-
destruction

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1488.RULE when the event(s) were detected by #WARNING - Can be noisy!
Disk Content Wipe one or more of Linux OS
AND when MITRE.LIN.T1107.RULE Following auditd rules should be

© 2020 ScienceSoft | Page 29 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

File Deletion match at least 10 times enabled:


with the same MITRE-Linux: Auditd
Key (custom) in 1 minutes -a always,exit -F arch=b64 -S rmdir -S
unlink -S unlinkat -S rename -S
renameat -F auid!=4294967295 -k
siem-f ile-delete

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1491.RULE when the event(s) were detected by Following auditd rules should be
Defacement one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /var/www -p w -F uid!=0 -k siem-
is any of siem-defacement def acement
AND NOT when any of MITRE- -w /var/www/<your-path> -p w -F
Linux: UID (custom) are contained in uid!=0 -k siem-defacement
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
MITRE.LIN.T1529.RULE when the event(s) were detected by Following auditd rules should be
System one or more of Linux OS enabled:
Shutdown/Reboot AND when the event matches
MITRE-Linux: Auditd Key (custom) #REDHAT/CENTOS
is any of siem-reboot -a exit,always -F arch=b64 -S execve -
AND NOT when any of MITRE- F path=/sbin/reboot -k siem-reboot
Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve -
any of MITRE: Linux Users - F path=/sbin/init -k siem-reboot
AlphaNumeric (Ignore Case) -a exit,always -F arch=b64 -S execve -
F path=/sbin/poweroff -k siem-reboot
-a exit,always -F arch=b64 -S execve -
F path=/sbin/shutdow -k siem-reboot

#DEBIAN/UBUNTU
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/reboot -k siem-reboot
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/init -k siem-reboot
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/poweroff -k siem-
reboot
-a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/shutdow -k siem-
reboot

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules

© 2020 ScienceSoft | Page 30 from 31


MITRE ATT&CK for Linux Platforms
for IBM Security
QRadar SIEM: Admin Guide

MITRE.LIN.T1531.RULE when the event(s) were detected by Following auditd rules should be
Account Access one or more of Linux OS enabled:
Removal AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -S all -F
is any of siem-usr-access-rem path=/etc/passwd -F perm=w -F uid!=0
AND NOT when any of MITRE- -k siem-usr-access-rem
Linux: UID (custom) are contained in -a always,exit -S all -F
any of MITRE: Linux Users - path=/etc/shadow -F perm=w -F uid!=0
AlphaNumeric (Ignore Case) -k siem-usr-access-rem

Get more Linux MITRE rules:


https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules

© 2020 ScienceSoft | Page 31 from 31

You might also like