Flush Iptables Ufw Chain

 1title: Flush Iptables Ufw Chain
 2id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
 3status: test
 4description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
 5references:
 6    - https://blogs.blackberry.com/
 7    - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
 8    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
 9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023-01-18
11tags:
12    - attack.defense-evasion
13    - attack.t1562.004
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_img:
19        Image|endswith:
20            - '/iptables'
21            - '/xtables-legacy-multi'
22            - '/iptables-legacy-multi'
23            - '/ip6tables'
24            - '/ip6tables-legacy-multi'
25    selection_params:
26        CommandLine|contains:
27            - '-F'
28            - '-Z'
29            - '-X'
30    selection_ufw:
31        CommandLine|contains:
32            - 'ufw-logging-deny'
33            - 'ufw-logging-allow'
34            - 'ufw6-logging-deny'
35            - 'ufw6-logging-allow'
36            # - 'ufw-reject-output'
37            # - 'ufw-track-inputt'
38    condition: all of selection_*
39falsepositives:
40    - Network administrators
41level: medium

References

• BlackBerry Blog

  The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.

  
  Read More

• https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html

  
  Read More

• x.com

  
  Read More

Related rules

• All Rules Have Been Deleted From The Windows Firewall Configuration
• Azure Firewall Modified or Deleted
• Azure Firewall Rule Collection Modified or Deleted
• Bpfdoor TCP Ports Redirect
• Disable Microsoft Defender Firewall via Registry