SigmaHQ/rules/linux/lnx_security_tools_disabling.yml

title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
author: Ömer Günal, Alejandro Ortuno
date: 2020/06/17
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
logsource:
    category: process_creation
    product: linux
detection:
    keywords:
        - Command|contains:
          - 'service iptables stop'
          - 'chkconfig off iptables'
          - 'service ip6tables stop'
          - 'chkconfig off ip6tables'
          - 'systemctl stop firewalld'
          - 'systemctl disable firewalld'
        - CarbonBlack|contains:
          - 'service cbdaemon stop'
          - 'chkconfig off cbdaemon'
          - 'systemctl stop cbdaemon'
          - 'systemctl disable cbdaemon'
        - SELinux:
          - 'setenforce 0'
        - Crowdstrike|contains:
          - 'systemctl stop falcon-sensor.service'
          - 'systemctl disable falcon-sensor.service'
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: medium
tags:
    - attack.defense_evasion
    - attack.t1562.004
    - attack.t1089
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`title: Disabling Security Tools`
			`id: e3a8a052-111f-4606-9aee-f28ebeb76776`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`status: experimental`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`description: Detects disabling security tools`
Added some modifications to firewall disabling 2020-10-22 08:22:00 +00:00			`author: Ömer Günal, Alejandro Ortuno`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`date: 2020/06/17`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md`
Added some modifications to firewall disabling 2020-10-22 08:22:00 +00:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`logsource:`
added the category 2020-10-28 08:56:01 +00:00			`category: process_creation`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`product: linux`
			`detection:`
			`keywords:`
			`- Command\|contains:`
			`- 'service iptables stop'`
			`- 'chkconfig off iptables'`
			`- 'service ip6tables stop'`
			`- 'chkconfig off ip6tables'`
Added some modifications to firewall disabling 2020-10-22 08:22:00 +00:00			`- 'systemctl stop firewalld'`
			`- 'systemctl disable firewalld'`
Create lnx_security_tools_disabling.yml 2020-07-12 22:32:24 +00:00			`- CarbonBlack\|contains:`
			`- 'service cbdaemon stop'`
			`- 'chkconfig off cbdaemon'`
			`- 'systemctl stop cbdaemon'`
			`- 'systemctl disable cbdaemon'`
			`- SELinux:`
			`- 'setenforce 0'`
			`- Crowdstrike\|contains:`
			`- 'systemctl stop falcon-sensor.service'`
			`- 'systemctl disable falcon-sensor.service'`
			`condition: keywords`
			`falsepositives:`
			`- Legitimate administration activities`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`level: medium`
			`tags:`
Added some modifications to firewall disabling 2020-10-22 08:22:00 +00:00			`- attack.defense_evasion`
			`- attack.t1562.004`
			`- attack.t1089`