Attempt to Disable IPTables or Firewall

Last updated 2 months ago on 2024-09-23

Created 2 years ago on 2023-02-22

About

Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic DefendData Source: Elastic Endgame

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Impair Defenses (T1562)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*endgame-*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
  (
   /* disable FW */
   (
     (process.name == "ufw" and process.args == "disable") or
     (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or
     (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop")
   ) or

   /* stop FW service */
   (
     ((process.name == "service" and process.args == "stop") or
       (process.name == "chkconfig" and process.args == "off") or
       (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and
    process.args in ("firewalld", "ip6tables", "iptables", "firewalld.service", "ip6tables.service", "iptables.service")
    )
  )

Install detection rules in Elastic Security

Detect Attempt to Disable IPTables or Firewall in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).