Develop Sigma rules for Atomic Red Team test (Linux)

[yugoslavskiy]

• Subject: Atomic Red Team project
• Author: @redcanaryco
• Type: threat simulation tests
• Requirements: Create one Pull Request per Sigma rule
• Pro tip: Consider developing Sigma rules for both Linux and macOS tests concurrently. There are lots for intersections, and you can kill two birds in one stone

Please comment the issue with a task number that you are going to work out so the others will not intersect with you.

Task #	ATT&CK Technique name/link	ART test link	Comment
1	T1014: Rootkit	link	this task could take a huge amount of time to solve
2	T1016: System Network Configuration Discovery	link
3	T1018: Remote System Discovery	link
4	T1027: Obfuscated Files or Information	link
5	T1027.001: Binary Padding	link
6	T1030: Data Transfer Size Limits	link
7	T1046: Network Service Scanning	link
8	T1049: System Network Connections Discovery	link
9	T1053.001: At (Linux)	link
10	T1053.003: Cron	link
11	T1057: Process Discovery	link
12	T1069.001: Local Groups	link
13	T1070.002: Clear Linux or Mac System Logs	link
14	T1070.004: File Deletion	link
15	T1070.006: Timestomp	link
16	T1071.001: Web Protocols	link
17	T1082: System Information Discovery	link
18	T1083: File and Directory Discovery	link
19	T1087.001: Local Account	link
20	T1090.001: Internal Proxy	link
21	T1113: Screen Capture	link
22	T1135: Network Share Discovery	link
23	T1176: Browser Extensions	link
24	T1201: Password Policy Discovery	link
25	T1217: Browser Bookmark Discovery	link
26	T1518.001: Security Software Discovery	link
27	T1529: System Shutdown/Reboot	link
28	T1546.005: Trap	link
29	T1547.006: Kernel Modules and Extensions	link	this task could take a huge amount of time to solve
30	T1548.001: Setuid and Setgid	link
31	T1548.003: Sudo and Sudo Caching	link
32	T1552.001: Credentials In Files	link
33	T1552.003: Bash History	link
34	T1552.004: Private Keys	link
35	T1553.004: Install Root Certificate	link
36	T1562.001: Disable or Modify Tools	link	this task could take a huge amount of time to solve
37	T1562.003: HISTCONTROL	link
38	T1562.004: Disable or Modify System Firewall	link
39	T1564.001: Hidden Files and Directories	link

[omergunal]

I will work on these : 9, 11, ,13, 14, 35, 16, 17, 24

T1548.001: Setuid and Setgid:
https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_setgid_setuid.yml

Task 20:
https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_proxy_connection.yml

[alejandroortuno]

Taking task 10: T1053.003: Cron

[alejandroortuno]

Taking:

19 T1087.001: Local Account
12 T1069.001: Local Groups

[weslambert]

I can take 7,22

[alejandroortuno]

Taking

38 T1562.004: Disable or Modify System Firewall
3 T1018: Remote System Discovery

[fitsigor]

Taking:
5. T1027.001: Binary Padding
6. T1030: Data Transfer Size Limits
7. T1046: Network Service Scanning
15. T1070.006: Timestomp
27 T1529: System Shutdown/Reboot
32. T1552.001: Credentials In Files

[weslambert]

@fitsigor Im already working on 7 😄

[fitsigor]

@fitsigor Im already working on 7 😄

ok, didn't notice

[alx1m1k]

Taking
33 T1552.003: Bash History

[alejandroortuno]

@fitsigor I took T1046 Network Service Scanning on MacOs but I see you have it on Linux. As rules should be the same, let me know if you want to also take the Macos one.

[yugoslavskiy]

I'll work out:

• 4: T1027: Obfuscated Files or Information
• 8: T1049: System Network Connections Discovery
• 18: T1083: File and Directory Discovery
• 26: T1518.001: Security Software Discovery

[alejandroortuno]

@fitsigor done T1046 Network Service Scanning for Linux as it seems the same as for MacOS:

#1257