Linux MITRE ATTACK Rules

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on the real-world observations. The MITRE ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

ScienceSoft is proud to present its vision of the MITRE ATT&CK tactics designed specially for IBM QRadar SIEM as a set of correlation rules ready to be integrated with IBM QRadar just in one click.

ScienceSoft MITRE ATT&CK rules are compliant with MITRE Corporation Terms of Use: https://attack.mitre.org/resources/legal-and-branding/terms-of-use/

MITRE ATT&CK for Linux Platforms by ScienceSoft

Linux MITRE ATT&CK tactics by ScienceSoft are based on the auditd logs provided by a properly configured auditing component.

Auditd is a user space component in the UNIX Auditing System (Audit Daemon) that provides users with a security auditing aspect in various Linux distributives. The set of the rules developed by ScienceSoft includes an auditd configuration instruction that needs to be performed in order to work for those rules. The rules logic is simple and straightforward, and in most cases it relies on the auditd configuration rather than on the IBM QRadar correlation capabilities. This logic can be easily migrated to any SIEM solution of your choice.

Linux MITRE ATT&CK rules are thoroughly tested and tuned, however, they are disabled by default in order to prevent potential false-positives in the production SIEM environment. We recommend enabling them right after the auditd configuration.

There are two packages of Linux MITRE ATT&CK rules provided by ScienceSoft.

The following rules are available for free and can be downloaded from IBM App Exchange: https://exchange.xforce.ibmcloud.com/hub/

Tactic	ID	MITRE DESCRIPTION
Exfiltration	T1002	Data Compressed
Collection	T1005	Data from Local System
Exfiltration	T1011	Exfiltration Over Other Network Medium
Discovery	T1016	System Network Configuration Discovery
Lateral Movement	T1021	Remote Services
Collection	T1039	Data from Network Shared Drive
Credential Access, Discovery	T1040	Network Sniffing
Discovery	T1049	System Network Connections Discovery
Exfiltration	T1052	Exfiltration Over Physical Medium
Defense Evasion, Privilege Escalation	T1055	Process Injection
Discovery	T1057	Process Discovery
Execution	T1059	Command-Line Interface
Defense Evasion	T1070	Indicator Removal on Host
Execution, Lateral Movement	T1072	Third-party Software
Defense Evasion, Persistence, Privilege Escalation, Initial Access	T1078	Valid Accounts
Discovery	T1087	Account Discovery
Command And Control	T1092	Communication Through Removable Media
Defense Evasion	T1107	File Deletion
Defense Evasion	T1130	Install Root Certificate
Persistence	T1136	Create Account
Credential Access	T1145	Private Keys
Defense Evasion	T1146	Clear Command History
Persistence	T1156	.bash_profile and .bashrc
Persistence, Execution	T1168	Local Job Scheduling
Initial Access	T1190	Exploit Public-Facing Application
Execution	T1203	Exploitation for Client Execution
Lateral Movement	T1210	Exploitation of Remote Services
Defense Evasion	T1211	Exploitation for Defense Evasion
Credential Access	T1212	Exploitation for Credential Access
Persistence	T1215	Kernel Modules and Extensions
Defense Evasion	T1222	File and Directory Permissions Modification
Command And Control	T1483	Domain Generation Algorithms
Impact	T1485	Data Destruction
Impact	T1488	Disk Content Wipe
Impact	T1529	System Shutdown/Reboot
Impact	T1531	Account Access Removal
Integrity	T1491	Defacement

The rules below are licensed as a commercial product and can be purchased from ScienceSoft. To learn more, please contact us at qlean@scnsoft.com or send your request via contact form.

Tactic	ID	MITRE DESCRIPTION
Credential Access	T1003	Credential Dumping
Discovery	T1018	Remote System Discovery
Collection	T1025	Data from Removable Media
Discovery	T1033	System Owner/User Discovery
Defense Evasion	T1036	Masquerading
Privilege Escalation	T1068	Exploitation for Privilege Escalation
Discovery	T1069	Permission Groups Discovery
Discovery	T1082	System Information Discovery
Discovery	T1083	File and Directory Discovery
Defense Evasion	T1089	Disabling Security Tools
Defense Evasion	T1099	Timestomp
Persistence, Privilege Escalation	T1100	Web Shell
Credential Access	T1139	Bash History
Privilege Escalation, Persistence	T1166	Setuid and Setgid
Privilege Escalation	T1169	Sudo
Initial Access	T1199	Trusted Relationship
Initial Access	T1200	Hardware Additions
Discovery	T1201	Password Policy Discovery
Defense Evasion, Persistence, Command And Control	T1205	Port Knocking
Privilege Escalation	T1206	Sudo Caching
Command And Control	T1219	Remote Access Tools
Impact	T1487	Disk Structure Wipe
Impact	T1490	Inhibit System Recovery
Impact	T1492	Stored Data Manipulation
Impact	T1494	Runtime Data Manipulation
Defense Evasion	T1500	Compile After Delivery
Persistence	T1501	Systemd Service
Discovery	T1518	Software Discovery
Impact	T1486	Data Encrypted for Impact
Lateral Movement	T1184	SSH Hijacking