Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|---|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1059.004 | Unix Shell |
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1098 | Account Manipulation |
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1136 | Create Account |
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1505 | Server Software Component |
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1505.003 | Web Shell |
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1564 | Hide Artifacts |
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1564.006 | Run Virtual Instance |
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1562.006 | Indicator Blocking |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1070 | Indicator Removal on Host |
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1070.003 | Clear Command History |
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1027.004 | Compile After Delivery |
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1110 | Brute Force |
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1110.001 | Password Guessing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1110.003 | Password Spraying |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1110.004 | Credential Stuffing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | minimal | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1021.004 | SSH |
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1525 | Implant Container Image |
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
|
linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | detect | partial | T1113 | Screen Capture |
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
|