security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml
T
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2023-12-01 12:50:36 +01:00

29 lines
758 B
YAML
Raw Blame History

title: Ufw Force Stop Using Ufw-Init
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: Detects attempts to force stop the ufw using ufw-init
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023/01/18
tags:
- attack.defense_evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_init:
CommandLine|contains|all:
- '-ufw-init'
- 'force-stop'
selection_ufw:
CommandLine|contains|all:
- 'ufw'
- 'disable'
condition: 1 of selection_*
falsepositives:
- Network administrators
level: medium
Reference in New Issue View Git Blame Copy Permalink