SigmaHQ/rules/linux/lnx_security_tools_disabling_syslog.yml

title: Disabling Security Tools
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
    - id: e3a8a052-111f-4606-9aee-f28ebeb76776
      type: derived
status: experimental
description: Detects disabling security tools
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/06/17
modified: 2021/09/14
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
tags:
    - attack.defense_evasion
    - attack.t1562.004
    - attack.t1089 # an old one
logsource:
    product: linux
    service: syslog
detection: 
    keywords:
        - '*stopping iptables*'
        - '*stopping ip6tables*'
        - '*stopping firewalld*'
        - '*stopping cbdaemon*'
        - '*stopping falcon-sensor*'
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: medium
$frack113$ split global lnx_security_tools_disabling.yml 2021-09-14 17:32:58 +00:00			`title: Disabling Security Tools`
			`id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36`
			`related:`
			`- id: e3a8a052-111f-4606-9aee-f28ebeb76776`
			`type: derived`
			`status: experimental`
			`description: Detects disabling security tools`
			`author: Ömer Günal, Alejandro Ortuno, oscd.community`
			`date: 2020/06/17`
			`modified: 2021/09/14`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1562.004`
			`- attack.t1089 # an old one`
			`logsource:`
			`product: linux`
			`service: syslog`
			`detection:`
			`keywords:`
			`- 'stopping iptables'`
			`- 'stopping ip6tables'`
			`- 'stopping firewalld'`
			`- 'stopping cbdaemon'`
			`- 'stopping falcon-sensor'`
			`condition: keywords`
			`falsepositives:`
			`- Legitimate administration activities`
			`level: medium`