/
linux_persistence_and_privilege_escalation_risk_behavior.yml
72 lines (72 loc) · 3.28 KB
/
linux_persistence_and_privilege_escalation_risk_behavior.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Linux Persistence and Privilege Escalation Risk Behavior
id: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1
version: 3
date: '2022-08-30'
author: Michael Haag, Splunk
status: production
type: Correlation
description: The following correlation is specific to Linux persistence and privilege
escalation tactics and is tied to two analytic stories and any Linux analytic tied
to persistence and privilege escalation. These techniques often overlap with Persistence
techniques, as OS features that let an adversary persist can execute in an elevated
context.
data_source: []
search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score)
as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as
annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id)
as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id)
as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id)
as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source,
dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories
IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*")
All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation")
All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type
All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where
source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`'
how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set
to Notables for point detections, anomaly should not be notables but risk generators.
The correlation relies on more than x amount of distict detection names generated
before generating a notable. Modify the value as needed. Default value is set to
4. This value may need to be increased based on activity in your environment.
known_false_positives: False positives will be present based on many factors. Tune
the correlation as needed to reduce too many triggers.
references:
- https://attack.mitre.org/tactics/TA0004/
tags:
analytic_story:
- Linux Privilege Escalation
- Linux Persistence Techniques
asset_type: Endpoint
confidence: 80
impact: 70
message: Privilege escalation and persistence behaviors have been identified on
$risk_object$.
mitre_attack_id:
- T1548
observable:
- name: risk_object
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
- source
risk_score: 56
security_domain: audit
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/linux_risk/linuxrisk.log
source: linuxrisk
sourcetype: stash
update_timestamp: true