valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d0bb6e9e81
SigmaHQ/rules/linux/lnx_security_tools_disabling.yml
Mike Wade 52ab677798 Fixed my git issue
2020-09-13 22:03:04 -06:00

34 lines
1.0 KiB
YAML
Raw Blame History

title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: experimental
description: Detects disabling security tools
author: Ömer Günal
date: 2020/06/17
references:
- https://attack.mitre.org/techniques/T1089/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
logsource:
product: linux
detection:
keywords:
- Command|contains:
- 'service iptables stop'
- 'chkconfig off iptables'
- 'service ip6tables stop'
- 'chkconfig off ip6tables'
- CarbonBlack|contains:
- 'service cbdaemon stop'
- 'chkconfig off cbdaemon'
- 'systemctl stop cbdaemon'
- 'systemctl disable cbdaemon'
- SELinux:
- 'setenforce 0'
- Crowdstrike|contains:
- 'systemctl stop falcon-sensor.service'
- 'systemctl disable falcon-sensor.service'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.defense_evasion
Reference in New Issue View Git Blame Copy Permalink