Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Sigma rule (View on GitHub)
1title: Modify System Firewall
2id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
3related:
4 - id: 53059bc0-1472-438b-956a-7508a94a91f0
5 type: similar
6status: test
7description: |
8 Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
9 Detection rules that match only on the disabling of firewalls will miss this.
10references:
11 - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
12 - https://blog.aquasec.com/container-security-tnt-container-attack
13author: IAI
14date: 2023/03/06
15tags:
16 - attack.t1562.004
17 - attack.defense_evasion
18logsource:
19 product: linux
20 service: auditd
21detection:
22 selection1:
23 type: 'EXECVE'
24 a0: 'iptables'
25 a1|contains: 'DROP'
26 selection2:
27 type: 'EXECVE'
28 a0: 'firewall-cmd'
29 a1|contains: 'remove'
30 selection3:
31 type: 'EXECVE'
32 a0: 'ufw'
33 a1|contains: 'delete'
34 condition: 1 of selection*
35falsepositives:
36 - Legitimate admin activity
37level: medium
References
-
Conclusion and security recommendations Over the past few years, IoT attacks have been escalating globally and internet routers have been one of the primary targets. There are several reasons that ...
Read More -
Dynamic analysis of the docker Hub account uncovered 8 malicious container images, and at least two that are being used by TeamTNT to perform attacks.
Read More
Related rules
- Firewall Rule Deleted Via Netsh.EXE
- New Firewall Rule Added Via Netsh.EXE
- RDP Connection Allowed Via Netsh.EXE
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Flush Iptables Ufw Chain