From 9cbcd8977c460201188b852055ec9acbdb591233 Mon Sep 17 00:00:00 2001
From: hg8064 <qi.liu@kit.edu>
Date: Thu, 16 Mar 2023 17:49:53 +0100
Subject: [PATCH] update T1562.004 with more commands

---
 atomics/T1562.004/T1562.004.yaml | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 19e3ee35..896104ba 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -297,6 +297,54 @@ atomic_tests:
     command: |
       tail /var/log/ufw.log
     cleanup_command: |
+- name: "Disable" iptables 
+  auto_generated_guid: 
+  description: |
+    Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) 
+    Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables 
+    rules, which in fact "disable" iptables. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if iptables is installed on the machine.
+    prereq_command: |
+      if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
+    get_prereq_command: |
+      echo ""
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      iptables-save > /tmp/iptables.rules
+      iptables -F
+    cleanup_command: | 
+      iptables-restore < /tmp/iptables.rules
+- name: Modify/delete iptables firewall rules 
+  auto_generated_guid: 
+  description: |
+    Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp.
+    By doing so, they may cause less noise to avoid detection. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if iptables is installed on the machine.
+    prereq_command: |
+      if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
+      if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
+    get_prereq_command: |
+      echo ""
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      iptables-save > /tmp/iptables.rules
+      iptables -D OUTPUT -p tcp --dport 21 -j DROP
+    cleanup_command: | 
+      iptables-restore < /tmp/iptables.rules
 - name: LockBit Black - Unusual Windows firewall registry modification -cmd
   auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
   description: |