Loading…

IT Security Blog

Click the button below to start exploring my website
Start exploring

Developing a Security Use Case with Sigma and Atomic Red Team

In this blog post, we will develop a Security Use Case with the generic signature description language Sigma and test it with Atomic Threats.

Sigma is a generic signature format supporting multiple SIEM solutions and therefore make it sharable with the IT Security community. Furthermore, vendor lock-in is avoided using Sigma. A tutorial “How to write a Sigma Rule” can be find here.

Every Security Use Case needs to be tested properly. For this reason, the Atomic Red Team repository of Red Canary is used. Red Canary introduced Atomic Tests, which are small windows, linux or mac commands. Atomic Tests are categorized based on the Mitre ATT&CK Matrix, which we also use to categorize our Security Use Case.

Preparation for Development of Security Use Case

We want to develop a Security Use Case, which detects clearing the command history (Mitre ID T1146). We will focus on the Linux operating system. There exists multiple ways of clearing the command history:

  • rm ~/.bash_history
  • echo “” > ~/.bash_history
  • cat /dev/null > ~/.bash_history
  • ln -sf /dev/null ~/.bash_history
  • truncate -s0 ~/.bash_history
  • unset HISTFILE
  • export HISTFILESIZE=0
  • history -c

We can see that these are all bash commands, which means that we need the executed bash commands as log source in our SIEM solution.

Development of Security Use Case

In the next step, we develop the Use Case in Sigma signature format:

title: Clear Command History
description: Clear command history in linux which is used for defense evasion. 
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
    - https://attack.mitre.org/techniques/T1146/
author: Patrick Bareiss
date: 2019/03/24
logsource:
    product: linux
detection:
    keywords:
        - 'rm *bash_history'
        - 'echo "" > *bash_history'
        - 'cat /dev/null > *bash_history' 
        - 'ln -sf /dev/null *bash_history'
        - 'truncate -s0 *bash_history'
        - 'unset HISTFILE'
        - 'export HISTFILESIZE=0'
        - 'history -c'
    condition: keywords
falsepositives:
    - Unknown
level: high
tags:
    - attack.defense_evasion
    - attack.t1146

The Security Use Case detects multiple ways of clearing the command history for an user. The different ways are connected with an OR, which means the Security Use Case will trigger when it detects one of the multiple ways of doing it: ‘rm *bash_history’ OR ‘echo “” > *bash_history’ OR …

In the next step, we will test the Security Use Case. Every possible way needs to be tested. I will focus my testing on the command ‘rm *bash_history’ in this blog post. The other commands needs to be tested with the same steps.

Testing of Security Use Case

I have a linux testing machine containing a Splunk Universal Forwarder sending all executed commands to my Splunk Indexer. The configuration of monitoring bash commands with Splunk is described in this blog post:

http://www.patrick-bareiss.com/monitor-bash-commands-on-centos-with-splunk/

I will use the Atomic Tests of Red Canary to test the new developed Security Use Case. As already described, the Mitre ATT&CK Technique is the T1146 – Clear Command History. An extract of the Atomic Test can be seen here:

---
attack_technique: T1146
display_name: Clear Command History

atomic_tests:
- name: Clear Bash history (rm)
  description: |
    Clears bash history via rm
  supported_platforms:
    - linux
    - macos
  executor:
    name: sh
    command: |
      rm ~/.bash_history
...

I will perform the test manually by running the following command on the linux testing machine:

rm ~/.bash_history

Subsequently, I will translate the Sigma Use Case to a Splunk Search with the command:

sigmac lnx_shell_clear_cmd_history.yml -t splunk

We get the following Splunk search:

("rm *bash_history" OR "echo \"\" > *bash_history" OR "cat /dev/null > *bash_history" OR "ln -sf /dev/null *bash_history" OR "truncate -s0 *bash_history" OR "unset HISTFILE" OR "export HISTFILESIZE=0" OR "history -c")

Then, I run the command in Splunk and was able to verify that the Security Use Case is working as expected:

Thank you for reading. I hope in the future many companies share their Security Use Case with the IT Security community to improve the overall security capabilities of detecting adversaries.