Try in Splunk Security Cloud

Description

The following correlation is specific to Linux persistence and privilege escalation tactics and is tied to two analytic stories and any Linux analytic tied to persistence and privilege escalation. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

  • Type: Correlation
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Risk
  • Last Updated: 2022-07-20
  • Author: Michael Haag, Splunk
  • ID: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 3
  • CIS 5
  • CIS 16
CVE
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.annotations.mitre_attack.mitre_tactic source All_Risk.description 
| `drop_dm_object_name(All_Risk)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| stats values(source) as detection_name values(annotations.mitre_attack.mitre_tactic) as tactics values(firstTime) as firstTime values(lastTime) as lastTime dc(annotations.mitre_attack.mitre_tactic) as distinct_tactics dc(source) as distinct_detection_name by risk_object 
| where distinct_detection_name >= 4 
| `linux_persistence_and_privilege_escalation_risk_behavior_filter`

Macros

The SPL above uses the following Macros:

:information_source: linux_persistence_and_privilege_escalation_risk_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • All_Risk.analyticstories
  • All_Risk.risk_object_type
  • All_Risk.risk_object
  • All_Risk.annotations.mitre_attack.mitre_tactic
  • source

How To Implement

Ensure Linux anomaly and TTP analytics are enabled. TTP may be set to Notables for point detections, anomaly should not be notables but risk generators. The correlation relies on more than x amount of distict detection names generated before generating a notable. Modify the value as needed. Default value is set to 4. This value may need to be increased based on activity in your environment.

Known False Positives

False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
56.0 70 80 Privilege escalation and persistence behaviors have been identified on $risk_object$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1