Linux MITRE ATTACK Rules
MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on the real-world observations. The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
ScienceSoft is proud to present its vision of the MITRE ATT&CK tactics designed specially for IBM QRadar SIEM as a set of correlation rules ready to be integrated with IBM QRadar just in one click.
ScienceSoft MITRE ATT&CK rules are compliant with MITRE Corporation Terms of Use: https://attack.mitre.org/resources/legal-and-branding/terms-of-use/
MITRE ATT&CK for Linux Platforms by ScienceSoft
Linux MITRE ATT&CK tactics by ScienceSoft are based on the auditd logs provided by a properly configured auditing component.
Auditd is a user space component in the UNIX Auditing System (Audit Daemon) that provides users with a security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes an auditd configuration instruction that needs to be performed in order to work for those rules. The rules logic is simple and straightforward, and in most cases it relies on the auditd configuration rather than on the IBM QRadar correlation capabilities. This logic can be easily migrated to any SIEM solution of your choice.
Linux MITRE ATT&CK rules are thoroughly tested and tuned, however, they are disabled by default in order to prevent potential false-positives in the production SIEM environment. We recommend enabling them right after the auditd configuration.
There are two packages of Linux MITRE ATT&CK rules provided by ScienceSoft.
The following rules are available for free and can be downloaded from IBM App Exchange: https://exchange.xforce.ibmcloud.com/hub/
Tactic |
ID |
MITRE DESCRIPTION |
Exfiltration |
T1002 |
|
Collection |
T1005 |
|
Exfiltration |
T1011 |
|
Discovery |
T1016 |
|
Lateral Movement |
T1021 |
|
Collection |
T1039 |
|
Credential Access, Discovery |
T1040 |
|
Discovery |
T1049 |
|
Exfiltration |
T1052 |
|
Defense Evasion, Privilege Escalation |
T1055 |
|
Discovery |
T1057 |
|
Execution |
T1059 |
|
Defense Evasion |
T1070 |
|
Execution, Lateral Movement |
T1072 |
|
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
T1078 |
|
Discovery |
T1087 |
|
Command And Control |
T1092 |
|
Defense Evasion |
T1107 |
|
Defense Evasion |
T1130 |
|
Persistence |
T1136 |
|
Credential Access |
T1145 |
|
Defense Evasion |
T1146 |
|
Persistence |
T1156 |
|
Persistence, Execution |
T1168 |
|
Initial Access |
T1190 |
|
Execution |
T1203 |
|
Lateral Movement |
T1210 |
|
Defense Evasion |
T1211 |
|
Credential Access |
T1212 |
|
Persistence |
T1215 |
|
Defense Evasion |
T1222 |
|
Command And Control |
T1483 |
|
Impact |
T1485 |
|
Impact |
T1488 |
|
Impact |
T1529 |
|
Impact |
T1531 |
|
Integrity |
T1491 |
The rules below are licensed as a commercial product and can be purchased from ScienceSoft. To learn more, please contact us at qlean@scnsoft.com or send your request via contact form.
Tactic |
ID |
MITRE DESCRIPTION |
Credential Access |
T1003 |
|
Discovery |
T1018 |
|
Collection |
T1025 |
|
Discovery |
T1033 |
|
Defense Evasion |
T1036 |
|
Privilege Escalation |
T1068 |
|
Discovery |
T1069 |
|
Discovery |
T1082 |
|
Discovery |
T1083 |
|
Defense Evasion |
T1089 |
|
Defense Evasion |
T1099 |
|
Persistence, Privilege Escalation |
T1100 |
|
Credential Access |
T1139 |
|
Privilege Escalation, Persistence |
T1166 |
|
Privilege Escalation |
T1169 |
|
Initial Access |
T1199 |
|
Initial Access |
T1200 |
|
Discovery |
T1201 |
|
Defense Evasion, Persistence, Command And Control |
T1205 |
|
Privilege Escalation |
T1206 |
|
Command And Control |
T1219 |
|
Impact |
T1487 |
|
Impact |
T1490 |
|
Impact |
T1492 |
|
Impact |
T1494 |
|
Defense Evasion |
T1500 |
|
Persistence |
T1501 |
|
Discovery |
T1518 |
|
Impact |
T1486 |
|
Lateral Movement |
T1184 |