Analytics Story: Linux Persistence Techniques
Description
Monitor for activities and techniques associated with maintaining persistence on a Linux system--a sign that an adversary may have compromised your environment.
Why it matters
Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.
Correlation Search
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Linux Auditd Add User | auditd |
auditd |
|
Linux Auditd Execve | auditd |
auditd |
|
Linux Auditd Path | auditd |
auditd |
|
Linux Auditd Proctitle | auditd |
auditd |
|
Linux Auditd Service Stop | auditd |
auditd |
|
Linux Auditd Syscall | auditd |
auditd |
|
Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
- https://attack.mitre.org/techniques/T1053/
- https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/
- https://gtfobins.github.io/gtfobins/at/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
Source: GitHub | Version: 1