attack.t1686 on Detection.FYI

attack.t1686 on Detection.FYI https://detection.fyi/tags/attack.t1686/ Recent content in attack.t1686 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 Bpfdoor TCP Ports Redirect https://detection.fyi/sigmahq/sigma/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect/ All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. Disable System Firewall https://detection.fyi/sigmahq/sigma/linux/auditd/service_stop/lnx_auditd_disable_system_firewall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/service_stop/lnx_auditd_disable_system_firewall/ Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. Disabling Security Tools https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_security_tools_disabling/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_security_tools_disabling/ Detects disabling security tools Disabling Security Tools - Builtin https://detection.fyi/sigmahq/sigma/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog/ Detects disabling security tools Flush Iptables Ufw Chain https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_iptables_flush_ufw/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_iptables_flush_ufw/ Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic Modify System Firewall https://detection.fyi/sigmahq/sigma/linux/auditd/execve/lnx_auditd_modify_system_firewall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/execve/lnx_auditd_modify_system_firewall/ Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this. Ufw Force Stop Using Ufw-Init https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_disable_ufw/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_disable_ufw/ Detects attempts to force stop the ufw using ufw-init