Adversaries may attempt to force stop the Ubuntu Firewall (UFW) using ufw-init to disable network filtering and gain unauthorized access to network resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential attempts to bypass firewall controls and disrupt network security posture.
Detection Rule
title: Ufw Force Stop Using Ufw-Init
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: Detects attempts to force stop the ufw using ufw-init
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: linux
category: process_creation
detection:
selection_init:
CommandLine|contains|all:
- '-ufw-init'
- 'force-stop'
selection_ufw:
CommandLine|contains|all:
- 'ufw'
- 'disable'
condition: 1 of selection_*
falsepositives:
- Network administrators
level: medium
imProcessCreate
| where (TargetProcessCommandLine contains "-ufw-init" and TargetProcessCommandLine contains "force-stop") or (TargetProcessCommandLine contains "ufw" and TargetProcessCommandLine contains "disable")Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a maintenance script that temporarily stops UFW to perform system updates.
Filter/Exclusion: process.name != "ufw-init" OR process.parent.name == "systemd" AND process.command_line contains "maintenance"
Scenario: Admin Task to Reset Firewall Rules
Description: An admin manually stops UFW via ufw-init to reset firewall rules during a security audit or configuration change.
Filter/Exclusion: user.name == "root" AND process.command_line contains "reset" OR process.command_line contains "reload"
Scenario: Automated Security Tool Integration
Description: A third-party security tool (e.g., CrowdStrike, Palo Alto Prisma Access) uses ufw-init to temporarily disable UFW during a scan or assessment.
Filter/Exclusion: process.name contains "crowdstrike" OR process.name contains "prisma" OR process.parent.name == "security-tool"
Scenario: Live Migration or VM Snapshot
Description: During a live migration or VM snapshot, the hypervisor or management tool may stop UFW to ensure network state consistency.
Filter/Exclusion: process.name contains "virsh" OR process.name contains "virt-manager" OR process.parent.name == "libvirt"
Scenario: UFW Service Restart via Systemd
Description: The system’s systemd service manager restarts the UFW service, which may trigger the ufw-init process as part of the restart.
Filter/Exclusion: process.parent.name == "systemd" AND process.command_line contains "restart" OR process.command_line contains "reload"