Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Sigma rule (View on GitHub)
1title: Flush Iptables Ufw Chain
2id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
3status: test
4description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
5references:
6 - https://blogs.blackberry.com/
7 - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
8 - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023-01-18
11tags:
12 - attack.defense-evasion
13 - attack.t1562.004
14logsource:
15 product: linux
16 category: process_creation
17detection:
18 selection_img:
19 Image|endswith:
20 - '/iptables'
21 - '/xtables-legacy-multi'
22 - '/iptables-legacy-multi'
23 - '/ip6tables'
24 - '/ip6tables-legacy-multi'
25 selection_params:
26 CommandLine|contains:
27 - '-F'
28 - '-Z'
29 - '-X'
30 selection_ufw:
31 CommandLine|contains:
32 - 'ufw-logging-deny'
33 - 'ufw-logging-allow'
34 - 'ufw6-logging-deny'
35 - 'ufw6-logging-allow'
36 # - 'ufw-reject-output'
37 # - 'ufw-track-inputt'
38 condition: all of selection_*
39falsepositives:
40 - Network administrators
41level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall