├── LICENSE ├── README.md ├── attack_map.png ├── auditd-attack.rules ├── base_config.rules └── layer-2.json /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 bfuzzy 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # auditd-attack 2 | A Linux Auditd rule set mapped to MITRE's Attack Framework 3 | 4 | ![](https://github.com/bfuzzy/auditd-attack/blob/master/attack_map.png) 5 | 6 | ## Disclaimer 7 | 8 | Please ensure you test these rules prior to pushing them into production. This rule set is NOT meant to have all of its rules enabled all at once (although that'd be ideal) it is setup to serve as guidance toward increasing detection/hunting coverage. 9 | 10 | ## WIKI 11 | 12 | [WIKI](https://github.com/bfuzzy/auditd-attack/wiki/Audit-Event-Fields) 13 | 14 | 15 | ## Special Thanks To: 16 | 17 | [Eric Gershman](https://github.com/EricGershman/auditd-examples) 18 | 19 | [iase.disa.mil](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx) 20 | 21 | [cyb3rops](https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee) 22 | 23 | [ugurengin](https://gist.github.com/ugurengin/4d37ee83e87bc44291f8ae87a00504cd) 24 | 25 | [checkraze](https://github.com/checkraze/auditd-rules/blob/master/auditd.rules) 26 | 27 | [auditdBroFramework](https://github.com/set-element/auditdBroFramework/blob/master/system_config/audit.rules) 28 | 29 | [@MITREattack](https://twitter.com/MITREattack) 30 | 31 | 32 | ## TODO 33 | - [ ] Increase MITRE ATT&CK coverage 34 | - [ ] Test rules across multiple flavors of Linux 35 | - [ ] Determine performance impacts of the ruleset 36 | -------------------------------------------------------------------------------- /attack_map.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bfuzzy/auditd-attack/41d8a138f7ea3761c019dda351aba5350b500722/attack_map.png -------------------------------------------------------------------------------- /auditd-attack.rules: -------------------------------------------------------------------------------- 1 | # auditd-attack 2 | # A Linux Auditd configuration mapped to MITRE's Attack Framework 3 | # Most of my inspiration came from various individuals so I wont name them all, but you're work does not go 4 | # unnoticed! 5 | 6 | ### Special Thanks To 7 | 8 | #[Eric Gershman](https://github.com/EricGershman/auditd-examples) 9 | #[iase.disa.mil](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx) 10 | #[cyb3rops](https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee) 11 | #[ugurengin](https://gist.github.com/ugurengin/4d37ee83e87bc44291f8ae87a00504cd) 12 | #[checkraze](https://github.com/checkraze/auditd-rules/blob/master/auditd.rules) 13 | #[auditdBroFramework](https://github.com/set-element/auditdBroFramework/blob/master/system_config/audit.rules) 14 | 15 | # Remove any existing rules 16 | -D 17 | 18 | # Buffer Size 19 | ## Feel free to increase this if the machine panic's 20 | -b 8192 21 | 22 | # Failure Mode 23 | ## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system) 24 | -f 1 25 | 26 | # Ignore errors 27 | ## e.g. caused by users or files not found in the local environment 28 | -i 29 | 30 | # Self Auditing --------------------------------------------------------------- 31 | 32 | ## Audit the audit logs 33 | ### Successful and unsuccessful attempts to read information from the audit records 34 | -w /var/log/audit/ -k auditlog 35 | 36 | ## Auditd configuration 37 | ### Modifications to audit configuration that occur while the audit collection functions are operating 38 | -w /etc/audit/ -p wa -k auditconfig 39 | -w /etc/libaudit.conf -p wa -k auditconfig 40 | -w /etc/audisp/ -p wa -k audispconfig 41 | 42 | ## Monitor for use of audit management tools 43 | -w /sbin/auditctl -p x -k audittools 44 | -w /sbin/auditd -p x -k audittools 45 | 46 | # Filters --------------------------------------------------------------------- 47 | 48 | ### We put these early because audit is a first match wins system. 49 | 50 | ## Ignore SELinux AVC records 51 | ##-a always,exclude -F msgtype=AVC 52 | 53 | ## Ignore current working directory records 54 | -a always,exclude -F msgtype=CWD 55 | 56 | ## Ignore EOE records (End Of Event, not needed) 57 | -a always,exclude -F msgtype=EOE 58 | 59 | ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux) 60 | -a never,user -F subj_type=crond_t 61 | -a exit,never -F subj_type=crond_t 62 | 63 | ## This prevents chrony from overwhelming the logs 64 | ##-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t 65 | 66 | ## This is not very interesting and wastes a lot of space if the server is public facing 67 | -a always,exclude -F msgtype=CRYPTO_KEY_USER 68 | 69 | ## VMWare tools 70 | -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 71 | -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2 72 | 73 | ### High Volume Event Filter (especially on Linux Workstations) 74 | -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess 75 | -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess 76 | -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm 77 | -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm 78 | 79 | 80 | # Rules ----------------------------------------------------------------------- 81 | 82 | ## Kernel Related Events 83 | -w /etc/sysctl.conf -p wa -k sysctl 84 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1215_Kernel_Modules_and_Extensions 85 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1215_Kernel_Modules_and_Extensions 86 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1215_Kernel_Modules_and_Extensions 87 | -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions 88 | -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1215_Kernel_Modules_and_Extensions 89 | -w /etc/modprobe.conf -p wa -k T1215_Kernel_Modules_and_Extensions 90 | 91 | ## Time Related Events 92 | -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp 93 | -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1099_Timestomp 94 | -a always,exit -F arch=b32 -S clock_settime -k T1099_Timestomp 95 | -a always,exit -F arch=b64 -S clock_settime -k T1099_Timestomp 96 | -w /etc/localtime -p wa -k T1099_Timestomp 97 | 98 | ## Stunnel 99 | -w /usr/sbin/stunnel -p x -k T1079_Multilayer_Encryption 100 | 101 | ## Cron configuration & scheduled jobs related events 102 | -w /etc/cron.allow -p wa -k T1168_Local_Job_Scheduling 103 | -w /etc/cron.deny -p wa -k T1168_Local_Job_Scheduling 104 | -w /etc/cron.d/ -p wa -k T1168_Local_Job_Scheduling 105 | -w /etc/cron.daily/ -p wa -k T1168_Local_Job_Scheduling 106 | -w /etc/cron.hourly/ -p wa -k T1168_Local_Job_Scheduling 107 | -w /etc/cron.monthly/ -p wa -k T1168_Local_Job_Scheduling 108 | -w /etc/cron.weekly/ -p wa -k T1168_Local_Job_Scheduling 109 | -w /etc/crontab -p wa -k T1168_Local_Job_Scheduling 110 | -w /var/spool/cron/crontabs/ -k T1168_Local_Job_Scheduling 111 | -w /etc/inittab -p wa -k T1168_Local_Job_Scheduling 112 | -w /etc/init.d/ -p wa -k T1168_Local_Job_Scheduling 113 | -w /etc/init/ -p wa -k T1168_Local_Job_Scheduling 114 | -w /etc/at.allow -p wa -k T1168_Local_Job_Scheduling 115 | -w /etc/at.deny -p wa -k T1168_Local_Job_Scheduling 116 | -w /var/spool/at/ -p wa -k T1168_Local_Job_Scheduling 117 | -w /etc/anacrontab -p wa -k T1168_Local_Job_Scheduling 118 | 119 | ## Account Related Events 120 | -w /etc/sudoers -p wa -k T1078_Valid_Accounts 121 | -w /usr/bin/passwd -p x -k T1078_Valid_Accounts 122 | -w /usr/sbin/groupadd -p x -k T1078_Valid_Accounts 123 | -w /usr/sbin/groupmod -p x -k T1078_Valid_Accounts 124 | -w /usr/sbin/addgroup -p x -k T1078_Valid_Accounts 125 | -w /usr/sbin/useradd -p x -k T1078_Valid_Accounts 126 | -w /usr/sbin/usermod -p x -k T1078_Valid_Accounts 127 | -w /usr/sbin/adduser -p x -k T1078_Valid_Accounts 128 | 129 | ## Privleged Command Execution Related Events 130 | -a exit,always -F arch=b64 -F euid=0 -S execve -k T1078_Valid_Accounts 131 | -a exit,always -F arch=b32 -F euid=0 -S execve -k T1078_Valid_Accounts 132 | -a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 133 | -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 134 | -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 135 | -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 136 | -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 137 | -a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 138 | -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 139 | -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 140 | -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 141 | -a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 142 | -a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 143 | -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 144 | -a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 145 | -a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 146 | -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 147 | -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 148 | -a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 149 | -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 150 | ##-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 151 | -a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 152 | -a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 153 | -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 154 | -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 155 | -a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 156 | -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 157 | -a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 158 | -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 159 | -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 160 | -a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 161 | -a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 162 | -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 163 | -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 164 | -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 165 | -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 166 | -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 167 | -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 168 | -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 169 | -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 170 | -a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 171 | -a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts 172 | 173 | ## Media Export Related Events 174 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k T1052_Exfiltration_Over_Physical_Medium 175 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k T1052_Exfiltration_Over_Physical_Medium 176 | 177 | ## Session Related Events 178 | -w /var/run/utmp -p wa -k T1108_Redundant_Access 179 | -w /var/log/wtmp -p wa -k T1108_Redundant_Access 180 | -w /var/log/btmp -p wa -k T1108_Redundant_Access 181 | 182 | ## Login Related Events 183 | -w /var/log/faillog -p wa -k T1021_Remote_Services 184 | -w /var/log/lastlog -p wa -k T1021_Remote_Services 185 | -w /var/log/tallylog -p wa -k T1021_Remote_Services 186 | 187 | ## Pam Related Events 188 | -w /etc/pam.d/ -p wa -k T1071_Standard_Application_Layer_Protocol 189 | -w /etc/security/limits.conf -p wa -k T1071_Standard_Application_Layer_Protocol 190 | -w /etc/security/pam_env.conf -p wa -k T1071_Standard_Application_Layer_Protocol 191 | -w /etc/security/namespace.conf -p wa -k T1071_Standard_Application_Layer_Protocol 192 | -w /etc/security/namespace.init -p wa -k T1071_Standard_Application_Layer_Protocol 193 | -w /etc/pam.d/common-password -p wa -k T1201_Password_Policy_Discovery 194 | 195 | ## SSH Related Events 196 | -w /etc/ssh/sshd_config -k T1021_Remote_Services 197 | 198 | ##C2 Releated Events 199 | #Log 64 bit processes (a2!=6e filters local unix socket calls) 200 | -a exit,always -F arch=b64 -S connect -F a2!=110 -k T1043_Commonly_Used_Port 201 | 202 | #Log 32 bit processes (a0=3 means only outbound sys_connect calls) 203 | -a exit,always -F arch=b32 -S socketcall -F a0=3 -k T1043_Commonly_Used_Port 204 | 205 | ## Priv Escalation Related Events 206 | -w /bin/su -p x -k T1169_Sudo 207 | -w /usr/bin/sudo -p x -k T1169_Sudo 208 | -w /etc/sudoers -p rw -k T1169_Sudo 209 | -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1169_Sudo 210 | -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 211 | -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 212 | -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 213 | -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 214 | -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 215 | -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 216 | -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 217 | -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 218 | -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 219 | -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 220 | -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 221 | -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 222 | -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 223 | -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 224 | -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 225 | -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 226 | -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 227 | -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 228 | -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 229 | -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 230 | -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 231 | -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 232 | -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 233 | -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 234 | -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 235 | -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1166_Seuid_and_Setgid 236 | -a always,exit -F arch=b64 -C auid!=uid -S execve -k T1166_Seuid_and_Setgid 237 | -a always,exit -F arch=b32 -C auid!=uid -S execve -k T1166_Seuid_and_Setgid 238 | -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k T1166_Seuid_and_Setgid 239 | -a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -k T1166_Seuid_and_Setgid 240 | -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1166_Seuid_and_Setgid 241 | -a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1166_Seuid_and_Setgid 242 | -w /usr/bin/ -p wa -k T1068_Exploitation_for_Privilege_Escalation 243 | 244 | ## Recon Related Events 245 | -w /etc/group -p wa -k T1087_Account_Discovery 246 | -w /etc/passwd -p wa -k TT1087_Account_Discovery 247 | -w /etc/gshadow -k T1087_Account_Discovery 248 | -w /etc/shadow -k T1087_Account_Discovery 249 | -w /etc/security/opasswd -k T1087_Account_Discovery 250 | -w /usr/sbin/nologin -k T1087_Account_Discovery 251 | -w /sbin/nologin -k T1087_Account_Discovery 252 | -w /usr/bin/whoami -p x -k T1033_System_Owner_User_Discovery 253 | -w /etc/hostname -p r -k T1082_System_Information_Discovery 254 | -w /sbin/iptables -p x -k T1082_System_Information_Discovery 255 | -w /sbin/ifconfig -p x -k T1082_System_Information_Discovery 256 | -w /etc/login.defs -p wa -k T1082_System_Information_Discovery 257 | -w /etc/resolv.conf -k T1016_System_Network_Configuration_Discovery 258 | -w /etc/hosts.allow -k T1016_System_Network_Configuration_Discovery 259 | -w /etc/hosts.deny -k T1016_System_Network_Configuration_Discovery 260 | -w /etc/securetty -p wa -k T1082_System_Information_Discovery 261 | -w /var/log/faillog -p wa -k T1082_System_Information_Discovery 262 | -w /var/log/lastlog -p wa -k T1082_System_Information_Discovery 263 | -w /var/log/tallylog -p wa -k T1082_System_Information_Discovery 264 | -w /usr/sbin/tcpdump -p x -k T1049_System_Network_Connections_discovery 265 | -w /usr/sbin/traceroute -p x -k T1049_System_Network_Connections_discovery 266 | -w /usr/bin/wireshark -p x -k T1049_System_Network_Connections_discovery 267 | -w /usr/bin/rawshark -p x -k T1049_System_Network_Connections_discovery 268 | -w /usr/bin/grep -p x -k T1081_Credentials_In_Files 269 | -w /usr/bin/egrep -p x -k T1081_Credentials_In_Files 270 | -w /usr/bin/ps -p x -k T1057_Process_Discovery 271 | 272 | ## Data Copy(Local) 273 | -w /usr/bin/cp -p x -k T1005_Data_from_Local_System 274 | -w /usr/bin/dd -p x -k T1005_Data_from_Local_System 275 | 276 | ## Remote Access Related Events 277 | -w /usr/bin/wget -p x -k T1219_Remote_Access_Tools 278 | -w /usr/bin/curl -p x -k T1219_Remote_Access_Tools 279 | -w /usr/bin/base64 -p x -k T1219_Remote_Access_Tools 280 | -w /bin/nc -p x -k T1219_Remote_Access_Tools 281 | -w /bin/netcat -p x -k T1219_Remote_Access_Tools 282 | -w /usr/bin/ncat -p x -k T1219_Remote_Access_Tools 283 | -w /usr/bin/ssh -p x -k T1219_Remote_Access_Tools 284 | -w /usr/bin/socat -p x -k T1219_Remote_Access_Tools 285 | -w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools 286 | 287 | ##Third Party Software 288 | # RPM (Redhat/CentOS) 289 | -w /usr/bin/rpm -p x -k T1072_third_party_software 290 | -w /usr/bin/yum -p x -k T1072_third_party_software 291 | 292 | # YAST/Zypper/RPM (SuSE) 293 | -w /sbin/yast -p x -k T1072_third_party_software 294 | -w /sbin/yast2 -p x -k T1072_third_party_software 295 | -w /bin/rpm -p x -k T1072_third_party_software 296 | -w /usr/bin/zypper -k T1072_third_party_software 297 | 298 | # DPKG / APT-GET (Debian/Ubuntu) 299 | -w /usr/bin/dpkg -p x -k T1072_third_party_software 300 | -w /usr/bin/apt-add-repository -p x -k T1072_third_party_software 301 | -w /usr/bin/apt-get -p x -k T1072_third_party_software 302 | -w /usr/bin/aptitude -p x -k T1072_third_party_software 303 | 304 | ## Code injection Related Events 305 | -a always,exit -F arch=b32 -S ptrace -k T1055_Process_Injection 306 | -a always,exit -F arch=b64 -S ptrace -k T1055_Process_Injection 307 | -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055_Process_Injection 308 | -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055_Process_Injection 309 | -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055_Process_Injection 310 | -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055_Process_Injection 311 | -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055_Process_Injection 312 | -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055_Process_Injection 313 | 314 | ## Shell configuration Persistence Related Events 315 | -w /etc/profile.d/ -k T1156_bash_profile_and_bashrc 316 | -w /etc/profile -k T1156_bash_profile_and_bashrc 317 | -w /etc/shells -k T1156_bash_profile_and_bashrc 318 | -w /etc/bashrc -k T1156_bash_profile_and_bashrc 319 | -w /etc/csh.cshrc -k T1156_bash_profile_and_bashrc 320 | -w /etc/csh.login -k T1156_bash_profile_and_bashrc 321 | 322 | #Log all commands (Noisy) 323 | #-a exit,always -F arch=b64 -S execve -k T1059_CommandLine_Interface 324 | #-a exit,always -F arch=b32 -S execve -k T1059_CommandLine_Interface 325 | 326 | #Remote File Copy 327 | -w /usr/bin/ftp -p x -k T1105_remote_file_copy 328 | 329 | ## File Deletion by User Related Events 330 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion 331 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1107_File_Deletion 332 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host 333 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070_Indicator_Removal_on_Host 334 | 335 | # Make the configuration immutable -------------------------------------------- 336 | ##-e 2 337 | -------------------------------------------------------------------------------- /base_config.rules: -------------------------------------------------------------------------------- 1 | ## First rule - delete all 2 | -D 3 | 4 | ## Increase the buffers to survive stress events. 5 | ## Make this bigger for busy systems 6 | -b 8192 7 | 8 | ## This determine how long to wait in burst of events 9 | --backlog_wait_time 60000 10 | 11 | ## Set failure mode to syslog 12 | -f 1 13 | -------------------------------------------------------------------------------- /layer-2.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "layer", 3 | "version": "2.0", 4 | "domain": "mitre-enterprise", 5 | "description": "", 6 | "filters": { 7 | "stages": [ 8 | "act" 9 | ], 10 | "platforms": [ 11 | "linux" 12 | ] 13 | }, 14 | "sorting": 0, 15 | "viewMode": 0, 16 | "hideDisabled": false, 17 | "techniques": [ 18 | { 19 | "techniqueID": "T1156", 20 | "tactic": "persistence", 21 | "color": "#31a354", 22 | "comment": "", 23 | "enabled": true 24 | }, 25 | { 26 | "techniqueID": "T1087", 27 | "tactic": "discovery", 28 | "color": "#31a354", 29 | "comment": "", 30 | "enabled": true 31 | }, 32 | { 33 | "techniqueID": "T1139", 34 | "tactic": "credential-access", 35 | "color": "#31a354", 36 | "comment": "", 37 | "enabled": true 38 | }, 39 | { 40 | "techniqueID": "T1146", 41 | "tactic": "defense-evasion", 42 | "color": "#31a354", 43 | "comment": "", 44 | "enabled": true 45 | }, 46 | { 47 | "techniqueID": "T1059", 48 | "tactic": "execution", 49 | "color": "#31a354", 50 | "comment": "", 51 | "enabled": true 52 | }, 53 | { 54 | "techniqueID": "T1043", 55 | "tactic": "command-and-control", 56 | "color": "#31a354", 57 | "comment": "", 58 | "enabled": true 59 | }, 60 | { 61 | "techniqueID": "T1092", 62 | "tactic": "command-and-control", 63 | "color": "#31a354", 64 | "comment": "", 65 | "enabled": true 66 | }, 67 | { 68 | "techniqueID": "T1090", 69 | "tactic": "command-and-control", 70 | "color": "#31a354", 71 | "comment": "", 72 | "enabled": true 73 | }, 74 | { 75 | "techniqueID": "T1136", 76 | "tactic": "persistence", 77 | "color": "#31a354", 78 | "comment": "", 79 | "enabled": true 80 | }, 81 | { 82 | "techniqueID": "T1089", 83 | "tactic": "defense-evasion", 84 | "color": "#31a354", 85 | "comment": "", 86 | "enabled": true 87 | }, 88 | { 89 | "techniqueID": "T1048", 90 | "tactic": "exfiltration", 91 | "color": "#31a354", 92 | "comment": "", 93 | "enabled": true 94 | }, 95 | { 96 | "techniqueID": "T1041", 97 | "tactic": "exfiltration", 98 | "color": "#31a354", 99 | "comment": "", 100 | "enabled": true 101 | }, 102 | { 103 | "techniqueID": "T1011", 104 | "tactic": "exfiltration", 105 | "color": "#31a354", 106 | "comment": "", 107 | "enabled": true 108 | }, 109 | { 110 | "techniqueID": "T1052", 111 | "tactic": "exfiltration", 112 | "color": "#31a354", 113 | "comment": "", 114 | "enabled": true 115 | }, 116 | { 117 | "techniqueID": "T1068", 118 | "tactic": "privilege-escalation", 119 | "color": "#31a354", 120 | "comment": "", 121 | "enabled": true 122 | }, 123 | { 124 | "techniqueID": "T1107", 125 | "tactic": "defense-evasion", 126 | "color": "#31a354", 127 | "comment": "", 128 | "enabled": true 129 | }, 130 | { 131 | "techniqueID": "T1222", 132 | "tactic": "defense-evasion", 133 | "color": "#31a354", 134 | "comment": "", 135 | "enabled": true 136 | }, 137 | { 138 | "techniqueID": "T1070", 139 | "tactic": "defense-evasion", 140 | "color": "#31a354", 141 | "comment": "", 142 | "enabled": true 143 | }, 144 | { 145 | "techniqueID": "T1215", 146 | "tactic": "persistence", 147 | "color": "#31a354", 148 | "comment": "", 149 | "enabled": true 150 | }, 151 | { 152 | "techniqueID": "T1168", 153 | "tactic": "persistence", 154 | "color": "#31a354", 155 | "comment": "", 156 | "enabled": true 157 | }, 158 | { 159 | "techniqueID": "T1168", 160 | "tactic": "execution", 161 | "color": "#31a354", 162 | "comment": "", 163 | "enabled": true 164 | }, 165 | { 166 | "techniqueID": "T1026", 167 | "tactic": "command-and-control", 168 | "color": "#31a354", 169 | "comment": "", 170 | "enabled": true 171 | }, 172 | { 173 | "techniqueID": "T1079", 174 | "tactic": "command-and-control", 175 | "color": "#31a354", 176 | "comment": "", 177 | "enabled": true 178 | }, 179 | { 180 | "techniqueID": "T1201", 181 | "tactic": "discovery", 182 | "color": "#31a354", 183 | "comment": "", 184 | "enabled": true 185 | }, 186 | { 187 | "techniqueID": "T1069", 188 | "tactic": "discovery", 189 | "color": "#31a354", 190 | "comment": "", 191 | "enabled": true 192 | }, 193 | { 194 | "techniqueID": "T1055", 195 | "tactic": "defense-evasion", 196 | "color": "#31a354", 197 | "comment": "", 198 | "enabled": true 199 | }, 200 | { 201 | "techniqueID": "T1055", 202 | "tactic": "privilege-escalation", 203 | "color": "#31a354", 204 | "comment": "", 205 | "enabled": true 206 | }, 207 | { 208 | "techniqueID": "T1108", 209 | "tactic": "defense-evasion", 210 | "color": "#31a354", 211 | "comment": "", 212 | "enabled": true 213 | }, 214 | { 215 | "techniqueID": "T1108", 216 | "tactic": "persistence", 217 | "color": "#31a354", 218 | "comment": "", 219 | "enabled": true 220 | }, 221 | { 222 | "techniqueID": "T1219", 223 | "tactic": "command-and-control", 224 | "color": "#31a354", 225 | "comment": "", 226 | "enabled": true 227 | }, 228 | { 229 | "techniqueID": "T1105", 230 | "tactic": "command-and-control", 231 | "color": "#31a354", 232 | "comment": "", 233 | "enabled": true 234 | }, 235 | { 236 | "techniqueID": "T1105", 237 | "tactic": "lateral-movement", 238 | "color": "#31a354", 239 | "comment": "", 240 | "enabled": true 241 | }, 242 | { 243 | "techniqueID": "T1021", 244 | "tactic": "lateral-movement", 245 | "color": "#31a354", 246 | "comment": "", 247 | "enabled": true 248 | }, 249 | { 250 | "techniqueID": "T1018", 251 | "tactic": "discovery", 252 | "color": "#31a354", 253 | "comment": "", 254 | "enabled": true 255 | }, 256 | { 257 | "techniqueID": "T1166", 258 | "tactic": "privilege-escalation", 259 | "color": "#31a354", 260 | "comment": "", 261 | "enabled": true 262 | }, 263 | { 264 | "techniqueID": "T1166", 265 | "tactic": "persistence", 266 | "color": "#31a354", 267 | "comment": "", 268 | "enabled": true 269 | }, 270 | { 271 | "techniqueID": "T1071", 272 | "tactic": "command-and-control", 273 | "color": "#31a354", 274 | "comment": "", 275 | "enabled": true 276 | }, 277 | { 278 | "techniqueID": "T1095", 279 | "tactic": "command-and-control", 280 | "color": "#31a354", 281 | "comment": "", 282 | "enabled": true 283 | }, 284 | { 285 | "techniqueID": "T1169", 286 | "tactic": "privilege-escalation", 287 | "color": "#31a354", 288 | "comment": "", 289 | "enabled": true 290 | }, 291 | { 292 | "techniqueID": "T1082", 293 | "tactic": "discovery", 294 | "color": "#31a354", 295 | "comment": "", 296 | "enabled": true 297 | }, 298 | { 299 | "techniqueID": "T1016", 300 | "tactic": "discovery", 301 | "color": "#31a354", 302 | "comment": "", 303 | "enabled": true 304 | }, 305 | { 306 | "techniqueID": "T1049", 307 | "tactic": "discovery", 308 | "color": "#31a354", 309 | "comment": "", 310 | "enabled": true 311 | }, 312 | { 313 | "techniqueID": "T1033", 314 | "tactic": "discovery", 315 | "color": "#31a354", 316 | "comment": "", 317 | "enabled": true 318 | }, 319 | { 320 | "techniqueID": "T1072", 321 | "tactic": "execution", 322 | "color": "#31a354", 323 | "comment": "", 324 | "enabled": true 325 | }, 326 | { 327 | "techniqueID": "T1072", 328 | "tactic": "lateral-movement", 329 | "color": "#31a354", 330 | "comment": "", 331 | "enabled": true 332 | }, 333 | { 334 | "techniqueID": "T1099", 335 | "tactic": "defense-evasion", 336 | "color": "#31a354", 337 | "comment": "", 338 | "enabled": true 339 | }, 340 | { 341 | "techniqueID": "T1065", 342 | "tactic": "command-and-control", 343 | "color": "#31a354", 344 | "comment": "", 345 | "enabled": true 346 | }, 347 | { 348 | "techniqueID": "T1204", 349 | "tactic": "execution", 350 | "color": "#31a354", 351 | "comment": "", 352 | "enabled": true 353 | }, 354 | { 355 | "techniqueID": "T1078", 356 | "tactic": "defense-evasion", 357 | "color": "#31a354", 358 | "comment": "", 359 | "enabled": true 360 | }, 361 | { 362 | "techniqueID": "T1078", 363 | "tactic": "persistence", 364 | "color": "#31a354", 365 | "comment": "", 366 | "enabled": true 367 | }, 368 | { 369 | "techniqueID": "T1078", 370 | "tactic": "privilege-escalation", 371 | "color": "#31a354", 372 | "comment": "", 373 | "enabled": true 374 | }, 375 | { 376 | "techniqueID": "T1078", 377 | "tactic": "initial-access", 378 | "color": "#31a354", 379 | "comment": "", 380 | "enabled": true 381 | } 382 | ], 383 | "gradient": { 384 | "colors": [ 385 | "#ff6666", 386 | "#ffe766", 387 | "#8ec843" 388 | ], 389 | "minValue": 0, 390 | "maxValue": 100 391 | }, 392 | "legendItems": [], 393 | "showTacticRowBackground": false, 394 | "tacticRowBackground": "#dddddd", 395 | "selectTechniquesAcrossTactics": true 396 | } --------------------------------------------------------------------------------