SigmaHQ/rules/linux/lnx_security_tools_disabling.yml

title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
author: Ömer Günal
date: 2020/06/17
references:
    - https://attack.mitre.org/techniques/T1089/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
logsource:
    product: linux
detection:
    keywords:
        - Command|contains:
          - 'service iptables stop'
          - 'chkconfig off iptables'
          - 'service ip6tables stop'
          - 'chkconfig off ip6tables'
        - CarbonBlack|contains:
          - 'service cbdaemon stop'
          - 'chkconfig off cbdaemon'
          - 'systemctl stop cbdaemon'
          - 'systemctl disable cbdaemon'
        - SELinux:
          - 'setenforce 0'
        - Crowdstrike|contains:
          - 'systemctl stop falcon-sensor.service'
          - 'systemctl disable falcon-sensor.service'
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: medium
tags:
    - attack.defense_evasion
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`title: Disabling Security Tools`
			`id: e3a8a052-111f-4606-9aee-f28ebeb76776`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`status: experimental`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`description: Detects disabling security tools`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`author: Ömer Günal`
			`date: 2020/06/17`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`references:`
			`- https://attack.mitre.org/techniques/T1089/`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md`
			`logsource:`
			`product: linux`
			`detection:`
			`keywords:`
			`- Command\|contains:`
			`- 'service iptables stop'`
			`- 'chkconfig off iptables'`
			`- 'service ip6tables stop'`
			`- 'chkconfig off ip6tables'`
			`- CarbonBlack\|contains:`
			`- 'service cbdaemon stop'`
			`- 'chkconfig off cbdaemon'`
			`- 'systemctl stop cbdaemon'`
			`- 'systemctl disable cbdaemon'`
			`- SELinux:`
			`- 'setenforce 0'`
			`- Crowdstrike\|contains:`
			`- 'systemctl stop falcon-sensor.service'`
			`- 'systemctl disable falcon-sensor.service'`
			`condition: keywords`
			`falsepositives:`
			`- Legitimate administration activities`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`level: medium`
			`tags:`
			`- attack.defense_evasion`