Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Sigma rule (View on GitHub)
1title: Modify System Firewall
2id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
3related:
4 - id: 53059bc0-1472-438b-956a-7508a94a91f0
5 type: similar
6status: test
7description: |
8 Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
9 Detection rules that match only on the disabling of firewalls will miss this.
10references:
11 - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
12 - https://blog.aquasec.com/container-security-tnt-container-attack
13author: IAI
14date: 2023/03/06
15tags:
16 - attack.t1562.004
17 - attack.defense_evasion
18logsource:
19 product: linux
20 service: auditd
21detection:
22 selection1:
23 type: 'EXECVE'
24 a0: 'iptables'
25 a1|contains: 'DROP'
26 selection2:
27 type: 'EXECVE'
28 a0: 'firewall-cmd'
29 a1|contains: 'remove'
30 selection3:
31 type: 'EXECVE'
32 a0: 'ufw'
33 a1|contains: 'delete'
34 condition: 1 of selection*
35falsepositives:
36 - Legitimate admin activity
37level: medium
References
Related rules
- Firewall Rule Deleted Via Netsh.EXE
- New Firewall Rule Added Via Netsh.EXE
- RDP Connection Allowed Via Netsh.EXE
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Flush Iptables Ufw Chain