Detectionhightest

Disable System Firewall

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pawel MazurCreated Sat Jan 2253059bc0-1472-438b-956a-7508a94a91f0linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'SERVICE_STOP'
        unit:
            - 'firewalld'
            - 'iptables'
            - 'ufw'
    condition: selection

False Positives

Admin activity

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.004 · Disable or Modify System Firewall

Rule Metadata

Rule ID

53059bc0-1472-438b-956a-7508a94a91f0

Status

test

Level

high

Type

Detection

Created

Sat Jan 22

Author

Pawel Mazur

Path

rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml

Raw Tags

attack.t1562.004attack.defense-evasion

View on GitHub