Ufw Force Stop Using Ufw-Init

 1title: Ufw Force Stop Using Ufw-Init
 2id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
 3status: test
 4description: Detects attempts to force stop the ufw using ufw-init
 5references:
 6    - https://blogs.blackberry.com/
 7    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
 8author: Joseliyo Sanchez, @Joseliyo_Jstnk
 9date: 2023-01-18
10tags:
11    - attack.defense-evasion
12    - attack.t1562.004
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection_init:
18        CommandLine|contains|all:
19            - '-ufw-init'
20            - 'force-stop'
21    selection_ufw:
22        CommandLine|contains|all:
23            - 'ufw'
24            - 'disable'
25    condition: 1 of selection_*
26falsepositives:
27    - Network administrators
28level: medium

References

• BlackBerry Blog

  The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.

  
  Read More

• x.com

  
  Read More

Related rules

• All Rules Have Been Deleted From The Windows Firewall Configuration
• Azure Firewall Modified or Deleted
• Azure Firewall Rule Collection Modified or Deleted
• Bpfdoor TCP Ports Redirect
• Disable Microsoft Defender Firewall via Registry