Discovery techniques can be quite the headache when it comes to securing Linux Servers. During this phase, adversaries are trying to figure out the environment. However, some of the commands they run can be similar to what benign users may use to gain information about the system. Techniques like T1082 - System Information Discovery is a commonly used technique that “cannot be easily mitigated with preventative controls since it is based on the abuse of system features” according to MITRE. So how can we detect malicious activity? The answer lies in understanding the behavior in context with each other. Instead of looking at each command individually, we can detect potential adversarial behavior by looking at the string of commands run.
Want to see the full Sudo Science Comyc? Download your copy here.
Or click here for more Sudo Science action.