UFW Disable Attempt
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems. UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules. Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
Sigma rule (View on GitHub)
1title: UFW Disable Attempt
2id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
3status: test
4description: |
5 Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
6 UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
7 Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
8references:
9 - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
10 - https://manpages.debian.org/unstable/ufw/ufw-framework.8.en.html
11 - https://www.cyberciti.biz/faq/linux-disable-firewall-command/
12author: Joseliyo Sanchez, @Joseliyo_Jstnk
13date: 2023-01-18
14modified: 2026-05-04
15tags:
16 - attack.defense-impairment
17 - attack.t1686
18logsource:
19 product: linux
20 category: process_creation
21detection:
22 selection_ufw_init:
23 Image|endswith: '/ufw-init'
24 CommandLine|contains:
25 - ' force-stop' # same as stop, except does not check if the firewall is already loaded
26 - ' stop' # unloads the firewall
27 - ' flush' # flushes the built-in chains, deletes all non-built-in chains and resets the policy to ACCEPT
28 selection_ufw_disable:
29 CommandLine|contains|all:
30 # Covers both ufw disable and systemctl disable ufw
31 # systemctl disable ufw -- prevents UFW starting at boot, but does not stop the currently running instance of UFW
32 # ufw disable -- stops the currently running instance of UFW and prevents it from starting at boot
33 - 'ufw '
34 - 'disable'
35 condition: 1 of selection_*
36falsepositives:
37 - Legitimate actions by system administrators to disable UFW.
38level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
ufw-framework - using the ufw framework DESCRIPTION¶ ufw provides both a command line interface and a framework for managing a netfilter firewall. While the ufw command provides an easy to use inte...
Read More
Related rules
- Bpfdoor TCP Ports Redirect
- Disable System Firewall
- Disabling Security Tools
- Disabling Security Tools - Builtin
- Flush Iptables Ufw Chain