Detection: Linux Persistence and Privilege Escalation Risk Behavior

Description

The following analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. This activity is significant for a SOC because it highlights behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk.

1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic 
3| `drop_dm_object_name(All_Risk)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| where source_count >= 4 
7| `linux_persistence_and_privilege_escalation_risk_behavior_filter`

Data Source

Name Platform Sourcetype Source Supported App
N/A N/A N/A N/A N/A

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
linux_persistence_and_privilege_escalation_risk_behavior_filter search *
linux_persistence_and_privilege_escalation_risk_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1548 Abuse Elevation Control Mechanism Defense Evasion
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event False
This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events.

Implementation

Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.

Known False Positives

False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
Privilege escalation and persistence behaviors have been identified on $risk_object$. 56 70 80
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset linuxrisk stash
Integration ✅ Passing Dataset linuxrisk stash

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 4