title: Disabling Linux Firewall
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
description: Detects Linux firewall being disabled.
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 
operating_system: linux
query: (SrcProcName In Contains ("service","chkconfig") AND SrcProcCmdLine In Contains
  ("off","stop") AND SrcProcCmdLine ContainsCIS "tables") OR (TgtProcName = "systemctl"
  AND TgtProcCmdLine In Contains ("stop","disable") AND TgtProcCmdLine Contains "firewalld")
false_positives: 
tags: 
references: