ScienceSoftLinuxMITREFreePack UserGuide

QLean for IBM Security
www.scnsoft.com
QRadar SIEM: Admin Guide
MITRE ATT&CK for Linux Platforms
ADMIN GUIDE
© 2020 ScienceSoft| Page 1 from 31

for IBM Security
Table of Contents
Overview.....................................................................................................................................3
Supported Versions ...................................................................................................................4
Extension Installation ................................................................................................................5
Downloading Extension ............................................................................................................... 5
Installing Extension ..................................................................................................................... 5
Overview.....................................................................................................................................6
Rules overview........................................................................................................................... 6
Rules structure ........................................................................................................................... 7
Prerequisites ..............................................................................................................................9
Configuring rsyslog ................................................................................................................... 10
Configuring auditd..................................................................................................................... 11
Usage........................................................................................................................................12
Enable rules ............................................................................................................................. 12
Add legitimate Linux users ......................................................................................................... 12
Troubleshooting .......................................................................................................................14
Appendix A: Release notes......................................................................................................15
1.0.0 ................................................................................................................................... 15
Appendix B: Custom Properties ..............................................................................................16
Appendix C: Custom Rules......................................................................................................17
© 2020 ScienceSoft | Page 2 from 31

for IBM Security
Overview
Linux MITRE ATT&CK tactics f rom ScienceSoft are based on auditd logs provided by properly configured
auditing component.
Auditd is a userspace component to the UNIX Auditing System (Audit Daemon) that provides a user with a
security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes
auditd configuration steps that are to be performed in order f or those rules to work. The rules logic is simple
and straight forward, and relies mostly on the auditd configuration.
While massively tested and tuned, Linux MITRE ATT&CK rules are disabled by default in order to prevent
potential f alse-positives on production SIEM environment, so make sure to enable them af ter the auditd
conf iguration is done.
IMPORTANT: This complimentary content pack is a part of thea f ull set of Linux MITRE rules developed by
ScienceSoft. You can request the full set of the rules as a commercial product including professional services
support for auditd configuration and troubleshooting at qlean@scnsoft.com.

for IBM Security
Supported Versions
Supported QRadar versions are:
• 7.3.0 GA and higher
NOTE: this content pack is developed by ScienceSoft Inc. and is not supported by IBM. You can request your
own QRadar content pack to be developed via the following email address: qlean@scnsoft.com.

for IBM Security
Extension Installation
This rules content pack is distributed as a QRadar extension. In order to install this extension please follow
the steps below.
Downloading Extension
• Go to https://exchange.xforce.ibmcloud.com/hub
• Login using your IBMid
• Filter by Type: Custom Rule
• Select MITRE ATT&CK for Linux Platforms extension
• Click Download button at the top right corner
• Save the extension zip file
Installing Extension
• Login to QRadar UI
• Go to Admin tab
• Open Extensions Management
• Click Add button
• Select Install immediately checkbox, click Browse button, locate the extension file downloaded
f rom IBM App Exchange and click Add button
• Conf irm all the steps and wait for installation to finish. This may take a while.
• Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI.
• Deploy changes if asked by QRadar

for IBM Security
Overview
Rules overview
To get the list of MITRE rules please follow the steps below.
• Go to Offense tab
• Click Rules link
• Click Group drop-down and select MITRE group.
By default all rules are disabled.

for IBM Security
Rules structure
Click any MITRE group rule for more details.
IMPORTANT: In order to make MITRE rules to trigger you must configure auditd for every rule you are
interested in. The Notes section of every rule contains a detailed auditd configuration to be performed.
IMPORTANT: please scroll down the Notes section to review the whole configuration guide for the rule.
Press Next (3) button to check Rule Response part.

for IBM Security
This wizard page shows you the CRE event that will be generated when the rule triggers. Event Name field
contains the unique id and the name of MITRE tactic. Event Description field contains a short description
and a link to this particular tactic at mitre.org

for IBM Security
Prerequisites
Following software versions are required for proper configuration of audit settings and forwarding to QRadar:
• audit-1.8.x or higher
• rsyslog5-5.8.x or higher
Execute following commands to verify versions:

For Redhat based distros:
# rpm -qa | grep audit
# rpm -qa | grep rsyslog
Debian based distros:

# dpkg -l auditd
# dpkg -l rsyslog
If rsyslog is not installed on your system, perform following steps:

1. Execute commands:
a) For Redhat/Centos 5.x, 6.x and 7.x

# yum install rsyslog
# chkconfig syslog off
# chkconfig rsyslog on
# service syslog stop
# chmod 600 /etc/audisp/plugins.d/syslog.conf
b) For Redhat/Centos/Oracle Linux 8.x

##rsyslog should be already installed,
##if not – type command: ‘yum install rsyslog’
# yum install audispd-plugins
c) For Debian/Ubuntu:
# apt install rsyslog
# apt install audispd-plugins
2. Disable compatibility mode by editing configuration file:

a) For Redhat based distros:
# vi /etc/sysconfig/rsyslog
b) For Debian based distros:

# vi /etc/default/rsyslog
3. Insert the f ollowing line to the top of the configuration:

SYSLOGD_OPTIONS="-c5"
4. Restart rsyslog daemon

# service rsyslog restart

for IBM Security
Configuring rsyslog
Linux Audit Framework (LAF) produces a massive amount of audit events and might greatly affect QRadar
EPS license. Advanced LAF audit events f iltering allows you to skip the messages that are not involved in
QRadar correlation rules.
For Redhat/Debian based distros:
Add the following lines to /etc/rsyslog.d/audit.conf
################### BEGIN ##################
# Advanced Rsyslog audit template for SIEM #
############################################
# This template is used for filtering LAF messages to SIEM solution
$EscapeControlCharactersOnReceive off
# Logging template: LAF (make sure is a single line!)

$template t_os,"<%pri%>%timegenerated% os-%hostname% msg=%msg:::drop-last-lf%\n"
# Filtered LAF audit messages

# ATTENTION: Filtering requires 'auditd' configuration and
# '/etc/audit/audit.rules' configuration baseline
# with specific key - 'siem'
# See more details in the documentation provided
:msg,contains,"key=\"siem-" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=EXECVE" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=DAEMON_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=USER_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=ADD_" @@<QRADAR_IP>;t_os
& ~
:msg,contains,"type=DEL_" @@<QRADAR_IP>;t_os
& ~
############################ END ##########################
where <QRADAR_IP> is the IP address of QRadar Event Collector/Processor.

Save and restart rsyslog using the following command:
service rsyslog restart

for IBM Security
Configuring auditd
Most of the rules provided with this content pack require auditd daemon configuration.
For Redhat/Debian based distros:

In /etc/audit/auditd.conf change log_format to ENRICHED:
• log_format = ENRICHED
This will provide more details for various audit log fields including usernames, groups and syscalls.
Please f ollow the instructions in Notes section for every particular rule.
Audit rules can be configured via command line with the auditctl utility or written in the audit.rules file.
Note that rules defined with the help of auditctl command are not persistent across reboots.
To def ine Audit rules that are persistent across reboots, you must include them in the following file:
/etc/audit/rules.d/audit.rules
Paste f ollowing lines to audit.rules file:

## clean-up
-D
# put here auditd rules lines from Notes, for example:
-w /proc/version -p r -k siem-sys-discovery
Then re-load audit configuration with following command:

service auditd force-reload

for IBM Security
Usage
Enable rules
Once you are done with auditd configuration for your Linux system, enable the related rule(s) in order to
make it work.
Go to Offense->Rules, select a particular rule(s) and click Actions –> Enable.
Add legitimate Linux users

Most of the rules do have the following test defined in rule logic:
and NOT when any of MITRE-Linux: UID (custom) are contained in any of MITRE:
Linux Users - AlphaNumeric (Ignore Case)
Add legitimate user names to the MITRE: Linux Users reference set in order to avoid false-positive offenses.
NOTE: Please refer to Appendix C f or complete list of rules available in this package.
Map rules to MITRE Techniques via Use Case Manager (Optional)

Linux MITRE rules can me mapped to MITRE Techniques with Use Case Manager (UCM) application, which
you can get from IBM App Exchange.
In order to map techniques, open UCM application, click ATT&CK™ Action button on main page and select
Import.

for IBM Security
Click on upload icon and select map file with json extension, then click Import.
You can download a mapping json file from following link https://qlean.io/files/linux_mapping.json
or request it via email qlean@scnsoft.com.

for IBM Security
Troubleshooting
This content package is provided “as-is”. You can provide any suggestions how to make it better and request
prof essional services support for auditd configuration and troubleshooting at qlean@scnsoft.com.

for IBM Security
Appendix A: Release notes

1.0.0
Initial version

for IBM Security
Appendix B: Custom Properties

Several custom properties are provided in order to enchance auditd events normalization. The custom
properties listed below will be installed automatically along with content pack.
Name Description Regex
MITRE-Linux: UID User who started the analyzed process. \s+UID="(.+?)"\s+
MITRE-Linux: Auditd Key Auditd Key key="(.+?)"
MITRE-Linux: Command command \s+comm="(.+?)"\s+

for IBM Security
Appendix C: Custom Rules

Complete list of rules provided with content package:
Rule Name Logic Notes
BB:MITRE.LIN.T1190: when the event(s) were detected by No action required
Public-Facing one or more of Apache HTTP
Application Server, NGINX HTTP Server, Squid
Web Proxy, Microsoft SQL Server,
Oracle Database Listener, Linux OS
Exploitation of Remote one or more of Linux OS
Services AND when the event QID is one of
the f ollowing (4750045) smbd
Message
Exploitation for one or more of Novell eDirectory,
Credential Access Linux OS, Open LDAP Sof tware,
Sun ONE LDAP
BB:MITRE.LINUX.T1211: when the event(s) were detected by No action required
Exploitation for Defense one or more of Cisco Firewall
Evasion Services Module (FWSM), Cisco
Firepower Management Center,
HBGary Active Def ense, Microsoft
Windows Def ender ATP, Radware
Def ensePro, VMWare AppDefense,
Snort Open Source IDS, Juniper
vGW, Samhain HIDS, Barracuda
Spam & Virus Firewall,
Barracuda Web Application Firewall,
Cisco ACE Firewall, Cisco PIX
Firewall, Conf igurable Firewall
Filter, CyberGuard TSP
Firewall/VPN, Juniper Networks
Firewall and VPN, Linux iptables
Firewall, Nortel Switched Firewall
5100, Nortel Switched Firewall
6000, Radware AppWall,
SonicWALL SonicOS, Trend
InterScan VirusWall, Venustech
Venusense Firewall, Microsoft
Endpoint Protection, Palo Alto
Endpoint Security Manager,
Symantec Endpoint Protection,
Trend Micro Deep Discovery
Analyzer, Trend Micro Deep
Discovery Director, Trend Micro
Control Manager, Trend Micro Deep
Discovery Email Inspector, Trend
Micro Deep Discovery Inspector,

for IBM Security
Trend Micro Deep Security, Trend

Micro Of f ice Scan, Resolution1
CyberSecurity, Enterprise-IT-
Security.com SF-Sherlock, Amazon
AWS Security Hub, Application
Security DbProtect, Blue Coat Web
Security Service, Blue Coat SG
Appliance, Carbon Black, Carbon
Black Protection, Cisco AMP, Cisco
Cloud Web Security, CyberArk
Privileged Threat Analytics, Cyber-
Ark Vault, Kaspersky CyberTrace,
Extreme NetsightASM, Extreme
XSR Security Routers, F5 Networks
BIG-IP AFM, F5 Networks BIG-IP
APM, F5 Networks BIG-IP ASM, F5
Networks BIG-IP LTM, F5 Networks
FirePass, Fidelis XPS, Forcepoint V
Series, Forcepoint Sidewinder,
Fortinet FortiGate Security
Gateway, H3C IP Security Devices,
IBM Inf ormix Audit, IBM i, IBM
Security Access Manager for
Enterprise Single Sign-On, IBM
Security Access Manager for
Mobile, IBM Security Directory
Server, IBM Security Identity
Governance, IBM Security Identity
Manager, IBM Security Network IPS
(GX), IBM Security Privileged
Identity Manager, IBM Security
Trusteer Apex Advanced Malware
Protection, IBM Tivoli Access
Manager f or e-business, Illumio
Adaptive Security Platform, Juniper
Networks Intrusion Detection and
Prevention (IDP), Juniper Networks
Network and Security Manager,
Kaspersky Security Center, Onapsis
Inc Onapsis Security Platform, Palo
Alto PA Series, Proofpoint
Enterprise Protection/Enterprise
Privacy, Salesf orce Security,
Salesf orce Security Auditing,
Skyhigh Networks Cloud Security
Platf orm, Sophos Web Security
Appliance, Solaris BSM, Symantec
ATP, Symantec Critical System
Protection, Symantec DLP,
Symantec Encryption Management
Server, Symantec Gateway Security
(SGS) Appliance, Symantec System

for IBM Security
Center, Vormetric Data Security,

WatchGuard Fireware OS
MITRE.LIN.T1002.RULE when the event(s) were detected by Following auditd rules should be
Data Compressed one or more of Linux OS enabled:
AND when the event matches
MITRE-Linux: Auditd Key (custom) -a exit,always -F arch=b64 -S execve -
is any of siem-data-compressed F path=/usr/bin/tar-k siem-data-
AND NOT when any of MITRE- compressed
Linux: UID (custom) are contained in -a exit,always -F arch=b64 -S execve -
any of MITRE: Linux Users - F path=/usr/bin/gzip -k siem-data-
AlphaNumeric (Ignore Case) compressed
-a exit,always -F arch=b64 -S execve -
F path=/usr/bin/zip -k siem-data-
compressed
Set correct path for your linux distro

(check 'whereis' command)
Get more Linux MITRE rules:

https://www.scnsoft.com/services/secu
rity/siem/linux-mitre-attack-rules
Data from Local System one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -w /usr/bin/cp -p x -k siem-data-from-
is any of siem-data-from-local local
AND NOT when any of MITRE- -w /usr/bin/dd -p x -k siem-data-from-
Linux: UID (custom) are contained in local
any of MITRE: Linux Users -
AlphaNumeric (Ignore Case) Get more Linux MITRE rules:
Exfiltration Over Other one or more of Linux OS enabled:
Network Medium AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S
is any of siem-network-modifications sethostname -S setdomainname -F
AND NOT when any of MITRE- auid!=0 -k siem-network-modifications
Linux: UID (custom) are contained in -w /etc/hosts -p wa -k siem-network-
any of MITRE: Linux Users - modifications
AlphaNumeric (Ignore Case) -w /etc/sysconfig/network -p wa -k
siem-network-modifications
-w /etc/network/ -p wa -k siem-
network-modifications
-a always,exit -F
dir=/etc/NetworkManager/ -F perm=wa
-k siem-network-modifications
-w /etc/sysconfig/network -p wa -k
siem-network-modifications

for IBM Security
System Network one or more of Linux OS enabled:
Configuration Discovery AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/hosts -p r -k siem-network-
is any of siem-network-discovery discovery
AND NOT when any of MITRE- -w /etc/sysconfig/network -p r -k siem-
Linux: UID (custom) are contained in network-discovery
any of MITRE: Linux Users - -w /etc/network/ -p r -k siem-network-
AlphaNumeric (Ignore Case) discovery
-a always,exit -F
dir=/etc/NetworkManager/ -F perm=r -k
siem-network-discovery
-w /etc/sysconfig/network -p r -k siem-
network-discovery
-w /etc/netplan/ -p r -k siem-network-
discovery
-w /usr/bin/ip -p x -k siem-network-
discovery
-w /usr/sbin/ifconfig -p x -k siem-
network-discovery
-w /usr/bin/nmcli -p x -k siem-network-
discovery
-w /usr/sbin/route -p x -k siem-network-
discovery
-w /usr/sbin/arp -p x -k siem-network-
discovery


MITRE.LIN.T1021.RULE when the event(s) were detected by SSH Loggin is enabled in auditd by
Remote Services one or more of Linux OS def ault.
MITRE-Linux: Auditd Key (custom) Add in rsyslog.conf next line:
is any of siem-remote-discovery :msg,contains,"type=USER_"
AND NOT when the source IP is a @@<qradar_ip>;t_os
part of any of the f ollowing &~
AND NOT when any of MITRE-
Linux: UID (custom) are contained in Get more Linux MITRE rules:
any of MITRE: Linux Users - https://www.scnsoft.com/services/secu
AlphaNumeric (Ignore Case) rity/siem/linux-mitre-attack-rules
Data from Network one or more of Linux OS enabled:
Shared Drive AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /<path>/ -p r -k siem-data-from-

for IBM Security
is any of siem-data-from-share share

Linux: UID (custom) are contained in Where '/path/' is you path to mounted
any of MITRE: Linux Users - share (NFS, SMB, etc)
AlphaNumeric (Ignore Case)
Network Sniffing one or more of Linux OS enabled:
is any of siem-network-sniffing F path=/usr/sbin/tcpdump -k siem-
AND NOT when any of MITRE- network-sniffing
any of MITRE: Linux Users - F path=/usr/sbin/tshark -k siem-
AlphaNumeric (Ignore Case) network-sniffing
F path=/usr/sbin/rawshark -k siem-
network-sniffing
F path=/usr/sbin/wireshark -k siem-
network-sniffing


System Network one or more of Linux OS enabled:
Connections Discovery AND when the event matches
is any of siem-connections- F path=/usr/sbin/lsof -k siem-
discovery connections-discovery
AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve -
Linux: UID (custom) are contained in F path=/usr/bin/netstat -k siem-
any of MITRE: Linux Users - connections-discovery
AlphaNumeric (Ignore Case) -a exit,always -F arch=b64 -S execve -
F path=/usr/sbin/ss -k siem-
connections-discovery



for IBM Security
Exfiltration Over one or more of Linux OS enabled:
Physical Medium AND when the event matches
MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S
is any of siem-mount mount -S umount2 -k siem-mount
Process Injection one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S ptrace -k
is any of siem-process-injection siem-process-injection
AND NOT when any of MITRE- -a always,exit -F arch=b64 -S ptrace -
Linux: UID (custom) are contained in F a0=0x4 -k siem-process-injection
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S ptrace -
AlphaNumeric (Ignore Case) F a0=0x5 -k siem-process-injection
-a always,exit -F arch=b64 -S ptrace -
F a0=0x6 -k siem-process-injection

Process Discovery one or more of Linux OS enabled:
is any of siem-process-discovery F path=/bin/ps -k siem-process-
AND NOT when any of MITRE- discovery
any of MITRE: Linux Users - F path=/usr/bin/top -k siem-process-
AlphaNumeric (Ignore Case) discovery
F path=/usr/bin/htop -k siem-process-
discovery
F path=/usr/bin/atop -k siem-process-
discovery
F path=/usr/sbin/iotop -k siem-
process-discovery



for IBM Security
MITRE.LIN.T1059.RULE when the event(s) were detected by #WARNING - Can be noisy!

Command-Line Interface one or more of Linux OS
AND when the event matches Following auditd rules should be
MITRE-Linux: Auditd Key (custom) enabled:
is any of siem-cmd-interface
AND NOT when any of MITRE- -a exit,always -F arch=b64 -S execve -
Linux: UID (custom) are contained in k siem-cmd-interface
Indicator Removal on one or more of Linux OS enabled:
Host AND when the event matches
is any of siem-removal-logs rename,rmdir,unlink,unlinkat,renameat
AND NOT when any of MITRE- -F uid!=0 -F auid!=-1 -F path=/var/log -
Linux: UID (custom) are contained in k siem-removal-logs
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S
AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat
-F uid!=0 -F auid!=-1 -F
path=/var/log/<folder> -k siem-
removal-logs

Third-party Software one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) # RPM (Redhat/CentOS)
is any of siem-package-manager -w /usr/bin/rpm -p x -k siem-package-
AND NOT when any of MITRE- manager
Linux: UID (custom) are contained in -w /usr/bin/yum -p x -k siem-package-
any of MITRE: Linux Users - manager
AlphaNumeric (Ignore Case)
# YAST/Zypper/RPM (SuSE)
-w /sbin/yast -p x -k siem-package-
manager
-w /sbin/yast2 -p x -k siem-package-
manager
-w /bin/rpm -p x -k siem-package-
manager
-w /usr/bin/zypper -k siem-package-
manager
# DPKG / APT-GET (Debian/Ubuntu)

-w /usr/bin/dpkg -p x -k siem-package-
manager
-w /usr/bin/apt-add-repository -p x -k
siem-package-manager

for IBM Security
-w /usr/bin/apt-get -p x -k siem-
package-manager
-w /usr/bin/aptitude -p x -k siem-
package-manager

Valid Accounts one or more of Linux OS
is any of siem-valid-accounts
AND when the source IP is a part of -a always,exit -F arch=b64 -S execve -
any of the f ollowing F auid!=0 -F key=siem-valid-accounts
TrustedNetworks
Account Discovery one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -a exit,always -F path=/etc/passwd -k
is any of siem-account-discovery siem-account-discovery
AND NOT when any of MITRE- -a exit,always -F
Linux: UID (custom) are contained in path=/etc/master.passwd -k siem-
any of MITRE: Linux Users - account-discovery
AlphaNumeric (Ignore Case) -a exit,always -F path=/etc/shadow -k
siem-account-discovery
-a exit,always -F path=/etc/group -k
-a exit,always -F path=/etc/gshadow -k
-a exit,always -F
path=/etc/security/opasswd -k siem-
account-discovery

Communication one or more of Linux OS enabled:
Through Removable AND when the event matches
Media MITRE-Linux: Auditd Key (custom) auditctl -a exit,always -F arch=b64 -S
is any of siem-mount mount -S umount2 -k siem-mount

for IBM Security

File Deletion one or more of Linux OS
is any of siem-f ile-delete
AND NOT when any of MITRE- -a always,exit -F arch=b64 -S rmdir -S
Linux: UID (custom) are contained in unlink -S unlinkat -S rename -S
any of MITRE: Linux Users - renameat -F auid!=4294967295 -F
AlphaNumeric (Ignore Case) auid!=0 -k siem-file-delete

Install Root Certificate one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -w /etc/pki/ca-trust/ -p w -F uid!=0 -k
is any of siem-root-cert siem-root-cert
Create Account one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -w /etc/passwd -p w -k siem-create-
is any of siem-create-account account
Private Keys one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) /home/<user>/.ssh/ -p r -k siem-
is any of siem-private-keys private-keys
AND NOT when any of MITRE- /etc/ssl/certs/ -p r -k siem-private-keys
Linux: UID (custom) are contained in /etc/pki/ca-trust/extracted/pem/ -p r -k
any of MITRE: Linux Users - siem-private-keys
AlphaNumeric (Ignore Case) /etc/pki/tls/ -p -r -k siem-private-keys
Add your folder and files of certification

and keys.

Clear Command History one or more of Linux OS enabled:

for IBM Security
MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S rmdir -S

is any of siem-clear-bash unlink -S unlinkat -S rename -S
AND when the event matches renameat -F auid=0 -F
MITRE-Linux: Command (custom) path=/root/.bash_history -k siem-clear-
is not any of bash bash
AND NOT when any of MITRE- -w /root/.bash_history -p w -k siem-
Linux: UID (custom) are contained in clear-bash
.bash_profile and one or more of Linux OS enabled:
.bashrc AND when the event matches
MITRE-Linux: Auditd Key (custom) -w /etc/profile.d/ -p w -k siem-bashrc
is any of siem-bashrc -w /etc/profile -p w -k siem-bashrc
AND NOT when any of MITRE- -w /etc/shells -p w -k siem-bashrc
Linux: UID (custom) are contained in -w /etc/bashrc -p w -k siem-bashrc
any of MITRE: Linux Users - -w /etc/csh.cshrc -p w -k siem-bashrc
AlphaNumeric (Ignore Case) -w /etc/csh.login -p w -k siem-bashrc
-w /root/.bashrc -p w -k siem-bashrc
-w /root/.bash_profile -p w -k siem-
bashrc
-w /home/<user>/.bashrc -p w -k siem-
bashrc
-w /home/<user>/.bash_profile -p w -k
siem-bashrc

Local Job Scheduling one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -w /etc/crontab -k siem-scheduling
is any of siem-scheduling -w /etc/cron.d/ -k siem-scheduling
AND NOT when any of MITRE- -w /var/spool/cron/ -k siem-scheduling
Linux: UID (custom) are contained in -w /etc/cron.allow -p wa -k siem-
any of MITRE: Linux Users - scheduling
AlphaNumeric (Ignore Case) -w /etc/cron.deny -p wa -k siem-
scheduling
-w /etc/cron.d/ -p wa -k siem-
scheduling
-w /etc/cron.daily/ -p wa -k siem-
scheduling
-w /etc/cron.hourly/ -p wa -k siem-
scheduling
-w /etc/cron.monthly/ -p wa -k siem-
scheduling
-w /etc/cron.weekly/ -p wa -k siem-
scheduling

for IBM Security
-w /etc/crontab -p wa -k siem-
scheduling
-w /var/spool/cron/crontabs/ -k siem-
scheduling
-w /etc/inittab -p wa -k siem-scheduling
-w /etc/init.d/ -p wa -k siem-scheduling
-w /etc/init/ -p wa -k siem-scheduling
-w /etc/anacrontab -p wa -k siem-
scheduling
-w /etc/at.allow -p wa -k siem-
scheduling
-w /etc/at.deny/ -p wa -k siem-
scheduling
-w /var/spool/at/ -p wa -k siem-
scheduling

MITRE.LIN.T1190.RULE when an event matches any of the No action required
Exploit Public-Facing f ollowing BB:MITRE.LIN.T1190: Get more Linux MITRE rules:
Application Public-Facing Application https://www.scnsoft.com/services/secu
AND when the source is vulnerable rity/siem/linux-mitre-attack-rules
to any exploit on any port
MITRE.LIN.T1203.RULE when the event(s) were detected by No action required
Exploitation for Client one or more of Linux OS Get more Linux MITRE rules:
Execution AND when the source is vulnerable https://www.scnsoft.com/services/secu
to any exploit on any port rity/siem/linux-mitre-attack-rules
Exploitation of Remote f ollowing BB:MITRE.LIN.T1210: Get more Linux MITRE rules:
Services Exploitation of Remote Services https://www.scnsoft.com/services/secu
Exploitation for Defense f ollowing BB:MITRE.LIN.T1211: Get more Linux MITRE rules:
Evasion Exploitation f or Def ense Evasion https://www.scnsoft.com/services/secu
Exploitation for f ollowing BB:MITRE.LIN.T1212: Get more Linux MITRE rules:
Credential Access Exploitation f or Credential Access https://www.scnsoft.com/services/secu
Kernel Modules and one or more of Linux OS enabled:
Extensions AND when the event matches
is any of siem-kernel create_module,init_module,delete_mo

for IBM Security
AND NOT when any of MITRE- dule,get_kernel_syms,query_module,fi

Linux: UID (custom) are contained in nit_module -F key=siem-kernel
File and Directory one or more of Linux OS enabled:
Permissions AND when the event matches
Modification MITRE-Linux: Auditd Key (custom) -a always,exit -F arch=b64 -S chmod -
is any of siem-perm-mod F auid!=4294967295 -k siem-perm-
AND NOT when any of MITRE- mod
Linux: UID (custom) are contained in -a always,exit -F arch=b64 -S chown -
any of MITRE: Linux Users - F auid!=4294967295 -k siem-perm-
AlphaNumeric (Ignore Case) mod
-a always,exit -F arch=b64 -S fchmod -
F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S
f chmodat -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S fchown -
mod
f chownat -F auid!=4294967295 -k
siem-perm-mod
f removexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S fsetxattr
-F auid!=4294967295 -k siem-perm-
mod
-a always,exit -F arch=b64 -S lchown -
mod
lremovexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S lsetxattr
-F auid!=4294967295 -k siem-perm-
mod
removexattr -F auid!=4294967295 -k
siem-perm-mod
-a always,exit -F arch=b64 -S setxattr -
mod

for IBM Security
MITRE.LIN.T1483.DUMM when the event(s) were detected by Domain Generation Algorithms
Y Domain Generation one or more log source types covered by default IBM applications.
Algorithms Or you can use our free lightweight
application to detect DGA domains.
See more on
rity/siem
Data Destruction one or more of Linux OS enabled:
is any of siem-destruction rename,rmdir,unlink,unlinkat,renameat
AND NOT when any of MITRE- -F auid!=-1 -F dir=/etc -k siem-
Linux: UID (custom) are contained in destruction
any of MITRE: Linux Users - -a always,exit -F arch=b64 -S
AlphaNumeric (Ignore Case) rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/bin -k siem-
destruction
rename,rmdir,unlink,unlinkat,renameat
-F auid!=-1 -F dir=/sbin -k siem-
destruction
-F auid!=-1 -F dir=/usr/bin -k siem-
destruction
-F auid!=-1 -F dir=/usr/sbin -k siem-
destruction
-F auid!=-1 -F dir=/var -k siem-
destruction
-F auid!=-1 -F dir=/home -k siem-
destruction
-F auid!=-1 -F dir=/srv -k siem-
destruction

Disk Content Wipe one or more of Linux OS
AND when MITRE.LIN.T1107.RULE Following auditd rules should be

for IBM Security
File Deletion match at least 10 times enabled:

with the same MITRE-Linux: Auditd
Key (custom) in 1 minutes -a always,exit -F arch=b64 -S rmdir -S
unlink -S unlinkat -S rename -S
renameat -F auid!=4294967295 -k
siem-f ile-delete

Defacement one or more of Linux OS enabled:
MITRE-Linux: Auditd Key (custom) -w /var/www -p w -F uid!=0 -k siem-
is any of siem-defacement def acement
AND NOT when any of MITRE- -w /var/www/<your-path> -p w -F
Linux: UID (custom) are contained in uid!=0 -k siem-defacement
System one or more of Linux OS enabled:
Shutdown/Reboot AND when the event matches
MITRE-Linux: Auditd Key (custom) #REDHAT/CENTOS
is any of siem-reboot -a exit,always -F arch=b64 -S execve -
AND NOT when any of MITRE- F path=/sbin/reboot -k siem-reboot
any of MITRE: Linux Users - F path=/sbin/init -k siem-reboot
AlphaNumeric (Ignore Case) -a exit,always -F arch=b64 -S execve -
F path=/sbin/poweroff -k siem-reboot
F path=/sbin/shutdow -k siem-reboot
#DEBIAN/UBUNTU
F path=/usr/sbin/reboot -k siem-reboot
F path=/usr/sbin/init -k siem-reboot
F path=/usr/sbin/poweroff -k siem-
reboot
F path=/usr/sbin/shutdow -k siem-
reboot


for IBM Security
Account Access one or more of Linux OS enabled:
Removal AND when the event matches
MITRE-Linux: Auditd Key (custom) -a always,exit -S all -F
is any of siem-usr-access-rem path=/etc/passwd -F perm=w -F uid!=0
AND NOT when any of MITRE- -k siem-usr-access-rem
Linux: UID (custom) are contained in -a always,exit -S all -F
any of MITRE: Linux Users - path=/etc/shadow -F perm=w -F uid!=0
AlphaNumeric (Ignore Case) -k siem-usr-access-rem


ScienceSoftLinuxMITREFreePack UserGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ScienceSoftLinuxMITREFreePack UserGuide

Uploaded by

Copyright:

Available Formats

QLean for IBM Security

MITRE ATT&CK for Linux Platforms

© 2020 ScienceSoft| Page 1 from 31

© 2020 ScienceSoft | Page 2 from 31

© 2020 ScienceSoft | Page 3 from 31

© 2020 ScienceSoft | Page 4 from 31

© 2020 ScienceSoft | Page 5 from 31

• Click Group drop-down and select MITRE group.

By default all rules are disabled.

© 2020 ScienceSoft | Page 6 from 31

Press Next (3) button to check Rule Response part.

© 2020 ScienceSoft | Page 7 from 31

© 2020 ScienceSoft | Page 8 from 31

Execute following commands to verify versions:

Debian based distros:

If rsyslog is not installed on your system, perform following steps:

a) For Redhat/Centos 5.x, 6.x and 7.x

b) For Redhat/Centos/Oracle Linux 8.x

##if not – type command: ‘yum install rsyslog’

# yum install audispd-plugins

2. Disable compatibility mode by editing configuration file:

b) For Debian based distros:

3. Insert the f ollowing line to the top of the configuration:

4. Restart rsyslog daemon

© 2020 ScienceSoft | Page 9 from 31

# Logging template: LAF (make sure is a single line!)

# Filtered LAF audit messages

############################ END ##########################

where <QRADAR_IP> is the IP address of QRadar Event Collector/Processor.

© 2020 ScienceSoft | Page 10 from 31

For Redhat/Debian based distros:

Paste f ollowing lines to audit.rules file:

Then re-load audit configuration with following command:

© 2020 ScienceSoft | Page 11 from 31

Go to Offense->Rules, select a particular rule(s) and click Actions –> Enable.

Add legitimate Linux users

Map rules to MITRE Techniques via Use Case Manager (Optional)

© 2020 ScienceSoft | Page 12 from 31

© 2020 ScienceSoft | Page 13 from 31

© 2020 ScienceSoft | Page 14 from 31

Appendix A: Release notes

© 2020 ScienceSoft | Page 15 from 31

Appendix B: Custom Properties

© 2020 ScienceSoft | Page 16 from 31

Appendix C: Custom Rules

© 2020 ScienceSoft | Page 17 from 31

Trend Micro Deep Security, Trend

© 2020 ScienceSoft | Page 18 from 31

Center, Vormetric Data Security,

Set correct path for your linux distro

Get more Linux MITRE rules:

Get more Linux MITRE rules:

© 2020 ScienceSoft | Page 19 from 31

Set correct path for your linux distro

Get more Linux MITRE rules:

© 2020 ScienceSoft | Page 20 from 31

is any of siem-data-from-share share

Set correct path for your linux distro

Get more Linux MITRE rules:

Set correct path for your linux distro

Get more Linux MITRE rules:

© 2020 ScienceSoft | Page 21 from 31

Get more Linux MITRE rules: