Disabling Security Tools - Builtin
Detects disabling security tools
Sigma rule (View on GitHub)
1title: Disabling Security Tools - Builtin
2id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
3related:
4 - id: e3a8a052-111f-4606-9aee-f28ebeb76776
5 type: derived
6status: test
7description: Detects disabling security tools
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
10author: Ömer Günal, Alejandro Ortuno, oscd.community
11date: 2020-06-17
12modified: 2022-11-26
13tags:
14 - attack.defense-evasion
15 - attack.t1562.004
16logsource:
17 product: linux
18 service: syslog
19detection:
20 keywords:
21 - 'stopping iptables'
22 - 'stopping ip6tables'
23 - 'stopping firewalld'
24 - 'stopping cbdaemon'
25 - 'stopping falcon-sensor'
26 condition: keywords
27falsepositives:
28 - Legitimate administration activities
29level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall