Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Modify System Firewall

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
IAICreated Mon Mar 06Updated Sun Oct 12323ff3f5-0013-4847-bbd4-250b5edb62cclinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic4 selectors
detection:
    selection1:
        type: 'EXECVE'
        a0: 'iptables'
        a1|contains: 'DROP'
    selection2:
        type: 'EXECVE'
        a0: 'firewall-cmd'
        a1|contains: 'remove'
    selection3:
        type: 'EXECVE'
        a0: 'ufw'
        a1|contains: 'delete'
    selection4:
        type: 'EXECVE'
        a0: 'nft'
        a1|contains:
            - 'delete'
            - 'flush'
    condition: 1 of selection*
False Positives

Legitimate admin activity

References
1
Resolving title…
trendmicro.com
2
Resolving title…
blog.aquasec.com
3
Resolving title…
docs.redhat.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Disable System Firewall

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
323ff3f5-0013-4847-bbd4-250b5edb62cc
Status
test
Level
medium
Type
Detection
Created
Mon Mar 06
Modified
Sun Oct 12
Author
IAI
Path
rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml
Raw Tags
attack.t1562.004attack.defense-evasion
View on GitHub