Disabling Security Tools

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.004  ·
Share on: linkedin copy

Detects disabling security tools

Sigma rule (View on GitHub)

 1title: Disabling Security Tools
 2id: e3a8a052-111f-4606-9aee-f28ebeb76776
 3status: test
 4description: Detects disabling security tools
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
 7author: Ömer Günal, Alejandro Ortuno, oscd.community
 8date: 2020-06-17
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12    - attack.t1562.004
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection_iptables_1:
18        Image|endswith: '/service'
19        CommandLine|contains|all:
20            - 'iptables'
21            - 'stop'
22    selection_iptables_2:
23        Image|endswith: '/service'
24        CommandLine|contains|all:
25            - 'ip6tables'
26            - 'stop'
27    selection_iptables_3:
28        Image|endswith: '/chkconfig'
29        CommandLine|contains|all:
30            - 'iptables'
31            - 'stop'
32    selection_iptables_4:
33        Image|endswith: '/chkconfig'
34        CommandLine|contains|all:
35            - 'ip6tables'
36            - 'stop'
37    selection_firewall_1:
38        Image|endswith: '/systemctl'
39        CommandLine|contains|all:
40            - 'firewalld'
41            - 'stop'
42    selection_firewall_2:
43        Image|endswith: '/systemctl'
44        CommandLine|contains|all:
45            - 'firewalld'
46            - 'disable'
47    selection_carbonblack_1:
48        Image|endswith: '/service'
49        CommandLine|contains|all:
50            - 'cbdaemon'
51            - 'stop'
52    selection_carbonblack_2:
53        Image|endswith: '/chkconfig'
54        CommandLine|contains|all:
55            - 'cbdaemon'
56            - 'off'
57    selection_carbonblack_3:
58        Image|endswith: '/systemctl'
59        CommandLine|contains|all:
60            - 'cbdaemon'
61            - 'stop'
62    selection_carbonblack_4:
63        Image|endswith: '/systemctl'
64        CommandLine|contains|all:
65            - 'cbdaemon'
66            - 'disable'
67    selection_selinux:
68        Image|endswith: '/setenforce'
69        CommandLine|contains: '0'
70    selection_crowdstrike_1:
71        Image|endswith: '/systemctl'
72        CommandLine|contains|all:
73            - 'stop'
74            - 'falcon-sensor'
75    selection_crowdstrike_2:
76        Image|endswith: '/systemctl'
77        CommandLine|contains|all:
78            - 'disable'
79            - 'falcon-sensor'
80    condition: 1 of selection*
81falsepositives:
82    - Legitimate administration activities
83level: medium

References

Related rules

to-top