Techniques
Sample rules
Ufw Force Stop Using Ufw-Init
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects attempts to force stop the ufw using ufw-init
Detection logic
condition: 1 of selection_*
selection_init:
CommandLine|contains|all:
- -ufw-init
- force-stop
selection_ufw:
CommandLine|contains|all:
- ufw
- disable
Flush Iptables Ufw Chain
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Detection logic
condition: all of selection_*
selection_img:
Image|endswith:
- /iptables
- /xtables-legacy-multi
- /iptables-legacy-multi
- /ip6tables
- /ip6tables-legacy-multi
selection_params:
CommandLine|contains:
- -F
- -Z
- -X
selection_ufw:
CommandLine|contains:
- ufw-logging-deny
- ufw-logging-allow
- ufw6-logging-deny
- ufw6-logging-allow