SigmaHQ
Develop Sigma rules for Atomic Red Team test (Linux)
- Subject: Atomic Red Team project
- Author: @redcanaryco
- Type: threat simulation tests
- Requirements: Create one Pull Request per Sigma rule
- Pro tip: Consider developing Sigma rules for both Linux and macOS tests concurrently. There are lots for intersections, and you can kill two birds in one stone
Please comment the issue with a task number that you are going to work out so the others will not intersect with you.
| Task # | ATT&CK Technique name/link | ART test link | Comment |
|---|---|---|---|
| 1 | T1014: Rootkit | link | this task could take a huge amount of time to solve |
| 2 | T1016: System Network Configuration Discovery | link | |
| 3 | T1018: Remote System Discovery | link | |
| 4 | T1027: Obfuscated Files or Information | link | |
| 5 | T1027.001: Binary Padding | link | |
| 6 | T1030: Data Transfer Size Limits | link | |
| 7 | T1046: Network Service Scanning | link | |
| 8 | T1049: System Network Connections Discovery | link | |
| 9 | T1053.001: At (Linux) | link | |
| 10 | T1053.003: Cron | link | |
| 11 | T1057: Process Discovery | link | |
| 12 | T1069.001: Local Groups | link | |
| 13 | T1070.002: Clear Linux or Mac System Logs | link | |
| 14 | T1070.004: File Deletion | link | |
| 15 | T1070.006: Timestomp | link | |
| 16 | T1071.001: Web Protocols | link | |
| 17 | T1082: System Information Discovery | link | |
| 18 | T1083: File and Directory Discovery | link | |
| 19 | T1087.001: Local Account | link | |
| 20 | T1090.001: Internal Proxy | link | |
| 21 | T1113: Screen Capture | link | |
| 22 | T1135: Network Share Discovery | link | |
| 23 | T1176: Browser Extensions | link | |
| 24 | T1201: Password Policy Discovery | link | |
| 25 | T1217: Browser Bookmark Discovery | link | |
| 26 | T1518.001: Security Software Discovery | link | |
| 27 | T1529: System Shutdown/Reboot | link | |
| 28 | T1546.005: Trap | link | |
| 29 | T1547.006: Kernel Modules and Extensions | link | this task could take a huge amount of time to solve |
| 30 | T1548.001: Setuid and Setgid | link | |
| 31 | T1548.003: Sudo and Sudo Caching | link | |
| 32 | T1552.001: Credentials In Files | link | |
| 33 | T1552.003: Bash History | link | |
| 34 | T1552.004: Private Keys | link | |
| 35 | T1553.004: Install Root Certificate | link | |
| 36 | T1562.001: Disable or Modify Tools | link | this task could take a huge amount of time to solve |
| 37 | T1562.003: HISTCONTROL | link | |
| 38 | T1562.004: Disable or Modify System Firewall | link | |
| 39 | T1564.001: Hidden Files and Directories | link |
I will work on these : 9, 11, ,13, 14, 35, 16, 17, 24
T1548.001: Setuid and Setgid: https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_setgid_setuid.yml
Task 20: https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_proxy_connection.yml
Taking
38 T1562.004: Disable or Modify System Firewall 3 T1018: Remote System Discovery
Taking: 5. T1027.001: Binary Padding 6. T1030: Data Transfer Size Limits 7. T1046: Network Service Scanning 15. T1070.006: Timestomp 27 T1529: System Shutdown/Reboot 32. T1552.001: Credentials In Files
@fitsigor I took T1046 Network Service Scanning on MacOs but I see you have it on Linux. As rules should be the same, let me know if you want to also take the Macos one.
I'll work out:
- 4: T1027: Obfuscated Files or Information
- 8: T1049: System Network Connections Discovery
- 18: T1083: File and Directory Discovery
- 26: T1518.001: Security Software Discovery
@fitsigor done T1046 Network Service Scanning for Linux as it seems the same as for MacOS:
https://github.com/Neo23x0/sigma/pull/1257