Adversaries may attempt to flush iptables and UFW chains to disable firewall rules and gain unrestricted network access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential network pivoting or lateral movement attempts.
Detection Rule
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/iptables'
- '/xtables-legacy-multi'
- '/iptables-legacy-multi'
- '/ip6tables'
- '/ip6tables-legacy-multi'
selection_params:
CommandLine|contains:
- '-F'
- '-Z'
- '-X'
selection_ufw:
CommandLine|contains:
- 'ufw-logging-deny'
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
level: medium
imProcessCreate
| where (TargetProcessName endswith "/iptables" or TargetProcessName endswith "/xtables-legacy-multi" or TargetProcessName endswith "/iptables-legacy-multi" or TargetProcessName endswith "/ip6tables" or TargetProcessName endswith "/ip6tables-legacy-multi") and (TargetProcessCommandLine contains "-F" or TargetProcessCommandLine contains "-Z" or TargetProcessCommandLine contains "-X") and (TargetProcessCommandLine contains "ufw-logging-deny" or TargetProcessCommandLine contains "ufw-logging-allow" or TargetProcessCommandLine contains "ufw6-logging-deny" or TargetProcessCommandLine contains "ufw6-logging-allow")Scenario: Scheduled firewall maintenance task
Description: A system administrator runs a scheduled job to reset the firewall rules during a routine maintenance window.
Filter/Exclusion: Check for the presence of a known maintenance script or job name in the command line, e.g., grep 'firewall-maintenance.sh' /var/log/syslog or use a process owner filter like process.owner = "root" AND process.name = "bash" AND process.args = "firewall-maintenance.sh".
Scenario: UFW (Uncomplicated Firewall) reset command
Description: An admin uses the ufw reset command to clear all UFW rules, which internally triggers an iptables flush.
Filter/Exclusion: Check for the presence of ufw in the command line, e.g., process.name = "ufw" AND process.args = "reset", or use a rule that excludes commands related to UFW.
Scenario: Automated security policy update
Description: A security automation tool or configuration management system (e.g., Ansible, Puppet) updates firewall rules by flushing and reapplying them.
Filter/Exclusion: Filter by the source of the command, such as process.parent.name = "ansible" OR process.parent.name = "puppet", or check for a known configuration management script in the command line.
Scenario: Live migration or virtualization event
Description: During a live migration or virtual machine snapshot, the hypervisor or management tool may temporarily flush firewall rules to reconfigure network interfaces.
Filter/Exclusion: Check for hypervisor-related processes, such as process.name = "virsh" OR process.name = "virsh" OR process.name = "libvirt", or correlate with known virtualization events in the system logs.
**Scenario: Network interface