valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
201708c097
SigmaHQ/rules/linux/lnx_security_tools_disabling_syslog.yml

30 lines
846 B
YAML
Raw Blame History

title: Disabling Security Tools
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: experimental
description: Detects disabling security tools
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020/06/17
modified: 2021/09/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
tags:
- attack.defense_evasion
- attack.t1562.004
- attack.t1089 # an old one
logsource:
product: linux
service: syslog
detection:
keywords:
- '*stopping iptables*'
- '*stopping ip6tables*'
- '*stopping firewalld*'
- '*stopping cbdaemon*'
- '*stopping falcon-sensor*'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
Reference in New Issue View Git Blame Copy Permalink