Ufw Force Stop Using Ufw-Init
Detects attempts to force stop the ufw using ufw-init
Sigma rule (View on GitHub)
1title: Ufw Force Stop Using Ufw-Init
2id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
3status: test
4description: Detects attempts to force stop the ufw using ufw-init
5references:
6 - https://blogs.blackberry.com/
7 - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
8author: Joseliyo Sanchez, @Joseliyo_Jstnk
9date: 2023-01-18
10tags:
11 - attack.defense-evasion
12 - attack.t1562.004
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection_init:
18 CommandLine|contains|all:
19 - '-ufw-init'
20 - 'force-stop'
21 selection_ufw:
22 CommandLine|contains|all:
23 - 'ufw'
24 - 'disable'
25 condition: 1 of selection_*
26falsepositives:
27 - Network administrators
28level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall