643234c · Purple Team Lab

custom FIM detections + atomic test set + auditd ruleset

643234c Zion Boggan committed on May 29, 2026 (3 weeks ago)

.gitignore +3 -0

agent/auditd-purple.rules +9 -0

		@@ -0,0 +1,9 @@
	+	-D
	+	-b 8192
	+	-a always,exit -F arch=b64 -S execve -S execveat -k exec
	+	-a always,exit -F arch=b32 -S execve -S execveat -k exec
	+	-w /etc/shadow -p r -k cred_access
	+	-w /etc/passwd -p wa -k passwd_change
	+	-w /etc/sudoers -p wa -k sudoers_change
	+	-w /etc/cron.d -p wa -k cron_persist
	+	-w /etc/systemd/system -p wa -k systemd_persist

agent/fim-directories.xml +1 -0

		@@ -0,0 +1 @@
	+	<directories realtime="yes" check_all="yes" report_changes="yes">/etc/cron.d,/etc/cron.daily,/etc/systemd/system,/root/.ssh,/home/zion/.ssh,/usr/local/bin</directories>

atomics/run_atomics.sh +34 -0

		@@ -0,0 +1,34 @@
	+	#!/usr/bin/env bash
	+	set -u
	+
	+	log() { echo "[$(date +%H:%M:%S)] $*"; }
	+
	+	log "T1053.003 - scheduled task / cron persistence"
	+	echo '* * * * * root /usr/bin/id' \| sudo tee /etc/cron.d/atomic-persist >/dev/null
	+
	+	log "T1543.002 - systemd service persistence"
	+	printf '[Unit]\nDescription=atomic test\n[Service]\nExecStart=/usr/bin/id\n[Install]\nWantedBy=multi-user.target\n' \
	+	\| sudo tee /etc/systemd/system/atomic-evil.service >/dev/null
	+
	+	log "T1098.004 - SSH authorized_keys persistence"
	+	mkdir -p "$HOME/.ssh"
	+	echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtomicRedTeamTestKeyDoNotUse attacker@evil' >> "$HOME/.ssh/authorized_keys"
	+
	+	log "T1543 - tooling drop into /usr/local/bin"
	+	printf '#!/bin/bash\nid\n' \| sudo tee /usr/local/bin/definitely-not-malware >/dev/null
	+	sudo chmod +x /usr/local/bin/definitely-not-malware
	+
	+	log "T1110 - SSH brute force (18 invalid users)"
	+	for i in $(seq 1 18); do
	+	ssh -o BatchMode=yes -o ConnectTimeout=2 -o StrictHostKeyChecking=no \
	+	-o PreferredAuthentications=password -o PubkeyAuthentication=no \
	+	"evil_user_${i}@127.0.0.1" true 2>/dev/null
	+	done
	+
	+	log "done - check the Wazuh dashboard for rule.id 100410-100413 and 5712"
	+
	+	if [[ "${1:-}" == "--cleanup" ]]; then
	+	log "cleanup"
	+	sudo rm -f /etc/cron.d/atomic-persist /etc/systemd/system/atomic-evil.service /usr/local/bin/definitely-not-malware
	+	sed -i '/AtomicRedTeamTestKey/d' "$HOME/.ssh/authorized_keys" 2>/dev/null
	+	fi

rules/local_purple_rules.xml +39 -0

		@@ -0,0 +1,39 @@
	+	<group name="linux,syscheck,purple-team-fim,">
	+
	+	<rule id="100410" level="10">
	+	<if_group>syscheck</if_group>
	+	<field name="file" type="pcre2">^/etc/cron</field>
	+	<description>Cron file created or modified: $(file) - possible scheduled-task persistence</description>
	+	<mitre>
	+	<id>T1053.003</id>
	+	</mitre>
	+	</rule>
	+
	+	<rule id="100411" level="10">
	+	<if_group>syscheck</if_group>
	+	<field name="file" type="pcre2">^/etc/systemd/system/.+\.service</field>
	+	<description>Systemd unit created or modified: $(file) - possible service persistence</description>
	+	<mitre>
	+	<id>T1543.002</id>
	+	</mitre>
	+	</rule>
	+
	+	<rule id="100412" level="12">
	+	<if_group>syscheck</if_group>
	+	<field name="file" type="pcre2">\.ssh/authorized_keys$</field>
	+	<description>SSH authorized_keys modified: $(file) - possible persistence via account manipulation</description>
	+	<mitre>
	+	<id>T1098.004</id>
	+	</mitre>
	+	</rule>
	+
	+	<rule id="100413" level="10">
	+	<if_group>syscheck</if_group>
	+	<field name="file" type="pcre2">^/usr/local/bin/</field>
	+	<description>Binary placed in /usr/local/bin: $(file) - possible persistence or tooling drop</description>
	+	<mitre>
	+	<id>T1543</id>
	+	</mitre>
	+	</rule>
	+
	+	</group>