Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Sigma rule (View on GitHub)
1title: Disable System Firewall
2id: 53059bc0-1472-438b-956a-7508a94a91f0
3status: test
4description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
7 - https://firewalld.org/documentation/man-pages/firewall-cmd.html
8author: 'Pawel Mazur'
9date: 2022/01/22
10tags:
11 - attack.t1562.004
12 - attack.defense_evasion
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'SERVICE_STOP'
19 unit:
20 - 'firewalld'
21 - 'iptables'
22 - 'ufw'
23 condition: selection
24falsepositives:
25 - Admin activity
26level: high
References
Related rules
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- Disabling Security Tools
- Powershell Detect Virtualization Environment
- Suspicious IO.FileStream