Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Sigma rule (View on GitHub)
1title: Disable System Firewall
2id: 53059bc0-1472-438b-956a-7508a94a91f0
3status: test
4description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
7 - https://firewalld.org/documentation/man-pages/firewall-cmd.html
8author: 'Pawel Mazur'
9date: 2022-01-22
10tags:
11 - attack.t1562.004
12 - attack.defense-evasion
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'SERVICE_STOP'
19 unit:
20 - 'firewalld'
21 - 'iptables'
22 - 'ufw'
23 condition: selection
24falsepositives:
25 - Admin activity
26level: high
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable Windows Firewall by Registry