| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027.004 | Compile After Delivery |
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1098 | Account Manipulation |
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1136 | Create Account |
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505 | Server Software Component |
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505.003 | Web Shell |
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562.006 | Indicator Blocking |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564 | Hide Artifacts |
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.004 | SSH |
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.007 | Cloud Services |
Comments
This control can detect abuse of remote services.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.008 | Stripped Payloads |
Comments
This control can detect stripped payloads.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1059.004 | Unix Shell |
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070 | Indicator Removal |
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.003 | Clear Command History |
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110 | Brute Force |
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.001 | Password Guessing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.003 | Password Spraying |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.004 | Credential Stuffing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1113 | Screen Capture |
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1525 | Implant Internal Image |
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.013 | XDG Autostart Entries |
Comments
This control can detect command execution associated with xdg modification.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.002 | Securityd Memory |
Comments
This control can detect command execution associated with this technique.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1564.006 | Run Virtual Instance |
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
|