Modify System Firewall

calendar Oct 17, 2025 · attack.t1562.004 attack.defense-evasion  ·
Share on: linkedin copy

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Sigma rule (View on GitHub)

 1title: Modify System Firewall
 2id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
 3related:
 4    - id: 53059bc0-1472-438b-956a-7508a94a91f0
 5      type: similar
 6status: test
 7description: |
 8    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
 9    Detection rules that match only on the disabling of firewalls will miss this.    
10references:
11    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
12    - https://blog.aquasec.com/container-security-tnt-container-attack
13    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
14author: IAI
15date: 2023-03-06
16modified: 2025-10-12
17tags:
18    - attack.t1562.004
19    - attack.defense-evasion
20logsource:
21    product: linux
22    service: auditd
23detection:
24    selection1:
25        type: 'EXECVE'
26        a0: 'iptables'
27        a1|contains: 'DROP'
28    selection2:
29        type: 'EXECVE'
30        a0: 'firewall-cmd'
31        a1|contains: 'remove'
32    selection3:
33        type: 'EXECVE'
34        a0: 'ufw'
35        a1|contains: 'delete'
36    selection4:
37        type: 'EXECVE'
38        a0: 'nft'
39        a1|contains:
40            - 'delete'
41            - 'flush'
42    condition: 1 of selection*
43falsepositives:
44    - Legitimate admin activity
45level: medium

References

Related rules

to-top