rules/linux/auditd/lnx_auditd_modify_system_firewall.yml

title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
    - id: 53059bc0-1472-438b-956a-7508a94a91f0
      type: similar
status: test
description: |
    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
    Detection rules that match only on the disabling of firewalls will miss this.
references:
    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
    - https://blog.aquasec.com/container-security-tnt-container-attack
author: IAI
date: 2023-03-06
tags:
    - attack.t1562.004
    - attack.defense-evasion
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'EXECVE'
        a0: 'iptables'
        a1|contains: 'DROP'
    selection2:
        type: 'EXECVE'
        a0: 'firewall-cmd'
        a1|contains: 'remove'
    selection3:
        type: 'EXECVE'
        a0: 'ufw'
        a1|contains: 'delete'
    condition: 1 of selection*
falsepositives:
    - Legitimate admin activity
level: medium
feat: new linux rules #4095 ) 2023-03-27 13:17:54 +02:00			`title: Modify System Firewall`
			`id: 323ff3f5-0013-4847-bbd4-250b5edb62cc`
			`related:`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- id: 53059bc0-1472-438b-956a-7508a94a91f0`
			`type: similar`
chore: promote older rules status from `experimental` to `test` (#4651 ) 2024-01-01 09:00:51 +01:00			`status: test`
feat: new linux rules #4095 ) 2023-03-27 13:17:54 +02:00			`description: \|`
			`Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.`
			`Detection rules that match only on the disabling of firewalls will miss this.`
			`references:`
			`- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html`
			`- https://blog.aquasec.com/container-security-tnt-container-attack`
			`author: IAI`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2023-03-06`
feat: new linux rules #4095 ) 2023-03-27 13:17:54 +02:00			`tags:`
			`- attack.t1562.004`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
feat: new linux rules #4095 ) 2023-03-27 13:17:54 +02:00			`logsource:`
			`product: linux`
			`service: auditd`
			`detection:`
			`selection1:`
			`type: 'EXECVE'`
			`a0: 'iptables'`
			`a1\|contains: 'DROP'`
			`selection2:`
			`type: 'EXECVE'`
			`a0: 'firewall-cmd'`
			`a1\|contains: 'remove'`
			`selection3:`
			`type: 'EXECVE'`
			`a0: 'ufw'`
			`a1\|contains: 'delete'`
			`condition: 1 of selection*`
			`falsepositives:`
			`- Legitimate admin activity`
			`level: medium`