In this blog post, we will develop a Security Use Case with the generic signature description language Sigma and test it with Atomic Threats.
Sigma is a generic signature format supporting multiple SIEM solutions and therefore make it sharable with the IT Security community. Furthermore, vendor lock-in is avoided using Sigma. A tutorial “How to write a Sigma Rule” can be find here.
Every Security Use Case needs to be tested properly. For this reason, the Atomic Red Team repository of Red Canary is used. Red Canary introduced Atomic Tests, which are small windows, linux or mac commands. Atomic Tests are categorized based on the Mitre ATT&CK Matrix, which we also use to categorize our Security Use Case.
Preparation for Development of Security Use Case
We want to develop a Security Use Case, which detects clearing the command history (Mitre ID T1146). We will focus on the Linux operating system. There exists multiple ways of clearing the command history:
- rm ~/.bash_history
- echo “” > ~/.bash_history
- cat /dev/null > ~/.bash_history
- ln -sf /dev/null ~/.bash_history
- truncate -s0 ~/.bash_history
- unset HISTFILE
- export HISTFILESIZE=0
- history -c
We can see that these are all bash commands, which means that we need the executed bash commands as log source in our SIEM solution.
Development of Security Use Case
In the next step, we develop the Use Case in Sigma signature format:
title: Clear Command History description: Clear command history in linux which is used for defense evasion. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml - https://attack.mitre.org/techniques/T1146/ author: Patrick Bareiss date: 2019/03/24 logsource: product: linux detection: keywords: - 'rm *bash_history' - 'echo "" > *bash_history' - 'cat /dev/null > *bash_history' - 'ln -sf /dev/null *bash_history' - 'truncate -s0 *bash_history' - 'unset HISTFILE' - 'export HISTFILESIZE=0' - 'history -c' condition: keywords falsepositives: - Unknown level: high tags: - attack.defense_evasion - attack.t1146
The Security Use Case detects multiple ways of clearing the command history for an user. The different ways are connected with an OR, which means the Security Use Case will trigger when it detects one of the multiple ways of doing it: ‘rm *bash_history’ OR ‘echo “” > *bash_history’ OR …
In the next step, we will test the Security Use Case. Every possible way needs to be tested. I will focus my testing on the command ‘rm *bash_history’ in this blog post. The other commands needs to be tested with the same steps.
Testing of Security Use Case
I have a linux testing machine containing a Splunk Universal Forwarder sending all executed commands to my Splunk Indexer. The configuration of monitoring bash commands with Splunk is described in this blog post:
I will use the Atomic Tests of Red Canary to test the new developed Security Use Case. As already described, the Mitre ATT&CK Technique is the T1146 – Clear Command History. An extract of the Atomic Test can be seen here:
--- attack_technique: T1146 display_name: Clear Command History atomic_tests: - name: Clear Bash history (rm) description: | Clears bash history via rm supported_platforms: - linux - macos executor: name: sh command: | rm ~/.bash_history ...
I will perform the test manually by running the following command on the linux testing machine:
Subsequently, I will translate the Sigma Use Case to a Splunk Search with the command:
sigmac lnx_shell_clear_cmd_history.yml -t splunk
We get the following Splunk search:
("rm *bash_history" OR "echo \"\" > *bash_history" OR "cat /dev/null > *bash_history" OR "ln -sf /dev/null *bash_history" OR "truncate -s0 *bash_history" OR "unset HISTFILE" OR "export HISTFILESIZE=0" OR "history -c")
Then, I run the command in Splunk and was able to verify that the Security Use Case is working as expected:
Thank you for reading. I hope in the future many companies share their Security Use Case with the IT Security community to improve the overall security capabilities of detecting adversaries.