security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml
T
Nasreddine Bencherchali 6a65920dd6 feat: new rules from blackberry
2023-01-31 00:38:06 +01:00

29 lines
766 B
YAML
Raw Blame History

title: Ufw Force Stop Using Ufw-Init
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: experimental
description: Detects attempts to force stop the ufw using ufw-init
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023/01/18
tags:
- attack.defense_evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_init:
CommandLine|contains|all:
- '-ufw-init'
- 'force-stop'
selection_ufw:
CommandLine|contains|all:
- 'ufw'
- 'disable'
condition: 1 of selection_*
falsepositives:
- Network administrators
level: medium
Reference in New Issue View Git Blame Copy Permalink