Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Sigma rule (View on GitHub)
1title: Modify System Firewall
2id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
3related:
4 - id: 53059bc0-1472-438b-956a-7508a94a91f0
5 type: similar
6status: test
7description: |
8 Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
9 Detection rules that match only on the disabling of firewalls will miss this.
10references:
11 - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
12 - https://blog.aquasec.com/container-security-tnt-container-attack
13author: IAI
14date: 2023-03-06
15tags:
16 - attack.t1562.004
17 - attack.defense-evasion
18logsource:
19 product: linux
20 service: auditd
21detection:
22 selection1:
23 type: 'EXECVE'
24 a0: 'iptables'
25 a1|contains: 'DROP'
26 selection2:
27 type: 'EXECVE'
28 a0: 'firewall-cmd'
29 a1|contains: 'remove'
30 selection3:
31 type: 'EXECVE'
32 a0: 'ufw'
33 a1|contains: 'delete'
34 condition: 1 of selection*
35falsepositives:
36 - Legitimate admin activity
37level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall