Disabling Security Tools
Detects disabling security tools
Sigma rule (View on GitHub)
1title: Disabling Security Tools
2id: e3a8a052-111f-4606-9aee-f28ebeb76776
3status: test
4description: Detects disabling security tools
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
7author: Ömer Günal, Alejandro Ortuno, oscd.community
8date: 2020-06-17
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1562.004
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_iptables_1:
18 Image|endswith: '/service'
19 CommandLine|contains|all:
20 - 'iptables'
21 - 'stop'
22 selection_iptables_2:
23 Image|endswith: '/service'
24 CommandLine|contains|all:
25 - 'ip6tables'
26 - 'stop'
27 selection_iptables_3:
28 Image|endswith: '/chkconfig'
29 CommandLine|contains|all:
30 - 'iptables'
31 - 'stop'
32 selection_iptables_4:
33 Image|endswith: '/chkconfig'
34 CommandLine|contains|all:
35 - 'ip6tables'
36 - 'stop'
37 selection_firewall_1:
38 Image|endswith: '/systemctl'
39 CommandLine|contains|all:
40 - 'firewalld'
41 - 'stop'
42 selection_firewall_2:
43 Image|endswith: '/systemctl'
44 CommandLine|contains|all:
45 - 'firewalld'
46 - 'disable'
47 selection_carbonblack_1:
48 Image|endswith: '/service'
49 CommandLine|contains|all:
50 - 'cbdaemon'
51 - 'stop'
52 selection_carbonblack_2:
53 Image|endswith: '/chkconfig'
54 CommandLine|contains|all:
55 - 'cbdaemon'
56 - 'off'
57 selection_carbonblack_3:
58 Image|endswith: '/systemctl'
59 CommandLine|contains|all:
60 - 'cbdaemon'
61 - 'stop'
62 selection_carbonblack_4:
63 Image|endswith: '/systemctl'
64 CommandLine|contains|all:
65 - 'cbdaemon'
66 - 'disable'
67 selection_selinux:
68 Image|endswith: '/setenforce'
69 CommandLine|contains: '0'
70 selection_crowdstrike_1:
71 Image|endswith: '/systemctl'
72 CommandLine|contains|all:
73 - 'stop'
74 - 'falcon-sensor'
75 selection_crowdstrike_2:
76 Image|endswith: '/systemctl'
77 CommandLine|contains|all:
78 - 'disable'
79 - 'falcon-sensor'
80 condition: 1 of selection*
81falsepositives:
82 - Legitimate administration activities
83level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall