Attempt to Disable IPTables or Firewall

Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/24"
 3deprecation_date = "2022/07/25"
 4maturity = "deprecated"
 5updated_date = "2022/07/25"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
11receive or send network traffic.
12"""
13from = "now-9m"
14index = ["auditbeat-*", "logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Attempt to Disable IPTables or Firewall"
18risk_score = 47
19rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
20severity = "medium"
21tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
22timestamp_override = "event.ingested"
23type = "query"
24
25query = '''
26event.category:process and event.type:(start or process_started) and
27  process.name:ufw and process.args:(allow or disable or reset) or
28
29  (((process.name:service and process.args:stop) or
30     (process.name:chkconfig and process.args:off) or
31     (process.name:systemctl and process.args:(disable or stop or kill))) and
32   process.args:(firewalld or ip6tables or iptables))
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1562"
40name = "Impair Defenses"
41reference = "https://attack.mitre.org/techniques/T1562/"
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top