docs/validation-matrix.md · Purple Team Lab

26 lines · markdown

# Validation matrix
 
Each technique was executed on the `purple-target` endpoint and confirmed in the Wazuh
SIEM. Result column reflects an actual run (see the screenshot in the README).
 
| # | Technique | ATT&CK | Atomic action | Telemetry | Detection rule | Level | Detected |
|---|-----------|--------|---------------|-----------|----------------|-------|----------|
| 1 | Brute Force | T1110 | 18 invalid SSH logins from one source | sshd auth log | `5712` (built-in) | 10 | yes |
| 2 | Scheduled Task / Cron | T1053.003 | write job to `/etc/cron.d/` | FIM (real-time) | `100410` (custom) | 10 | yes |
| 3 | Systemd Service | T1543.002 | create unit in `/etc/systemd/system/` | FIM (real-time) | `100411` (custom) | 10 | yes |
| 4 | SSH Authorized Keys | T1098.004 | append key to `~/.ssh/authorized_keys` | FIM (real-time) | `100412` (custom) | 12 | yes |
| 5 | Create/Modify System Process | T1543 | drop binary in `/usr/local/bin/` | FIM (real-time) | `100413` (custom) | 10 | yes |
| 6 | Valid Accounts / Sudo | T1078 / T1548.003 | login + sudo to root | sshd/PAM auth log | `5501` / `5402` (built-in) | 3 | yes (baseline) |
 
## Notes
 
- **Severity is intentional.** The persistence detections are level 10-12 (would alert),
  while the login/sudo baseline events are level 3 (context, not pages). A detection that
  fires at the wrong severity is as useless as one that doesn't fire.
- **Coverage gap, honestly noted:** execve-based detections (e.g. reverse-shell command
  lines, T1059.004) need host syscall auditing, which the target's kernel didn't provide.
  On a host with working auditd, the rules in `agent/auditd-purple.rules` cover that path;
  the FIM-based persistence detections above are independent of it.
- **Promotion:** detections validated here are written once in Sigma in the
  [detection-as-code](https://github.com/zionboggan/detection-as-code) repo and compiled
  to each SIEM; the Wazuh-native versions live here.

1	# Validation matrix
2
3	Each technique was executed on the `purple-target` endpoint and confirmed in the Wazuh
4	SIEM. Result column reflects an actual run (see the screenshot in the README).
5
6	\| # \| Technique \| ATT&CK \| Atomic action \| Telemetry \| Detection rule \| Level \| Detected \|
7	\|---\|-----------\|--------\|---------------\|-----------\|----------------\|-------\|----------\|
8	\| 1 \| Brute Force \| T1110 \| 18 invalid SSH logins from one source \| sshd auth log \| `5712` (built-in) \| 10 \| yes \|
9	\| 2 \| Scheduled Task / Cron \| T1053.003 \| write job to `/etc/cron.d/` \| FIM (real-time) \| `100410` (custom) \| 10 \| yes \|
10	\| 3 \| Systemd Service \| T1543.002 \| create unit in `/etc/systemd/system/` \| FIM (real-time) \| `100411` (custom) \| 10 \| yes \|
11	\| 4 \| SSH Authorized Keys \| T1098.004 \| append key to `~/.ssh/authorized_keys` \| FIM (real-time) \| `100412` (custom) \| 12 \| yes \|
12	\| 5 \| Create/Modify System Process \| T1543 \| drop binary in `/usr/local/bin/` \| FIM (real-time) \| `100413` (custom) \| 10 \| yes \|
13	\| 6 \| Valid Accounts / Sudo \| T1078 / T1548.003 \| login + sudo to root \| sshd/PAM auth log \| `5501` / `5402` (built-in) \| 3 \| yes (baseline) \|
14
15	## Notes
16
17	- Severity is intentional. The persistence detections are level 10-12 (would alert),
18	while the login/sudo baseline events are level 3 (context, not pages). A detection that
19	fires at the wrong severity is as useless as one that doesn't fire.
20	- Coverage gap, honestly noted: execve-based detections (e.g. reverse-shell command
21	lines, T1059.004) need host syscall auditing, which the target's kernel didn't provide.
22	On a host with working auditd, the rules in `agent/auditd-purple.rules` cover that path;
23	the FIM-based persistence detections above are independent of it.
24	- Promotion: detections validated here are written once in Sigma in the
25	[detection-as-code](https://github.com/zionboggan/detection-as-code) repo and compiled
26	to each SIEM; the Wazuh-native versions live here.