Iptables configuration command was executed

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Informational

Description

The iptables process was executed with a command to add or delete rules on the host.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.

Variations

Rare iptables port forward command was executed

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Low

Description

An iptables command was executed to perform port forward, This command is unpopular.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Uncommon iptables port forward command was executed on the host

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Informational

Description

An iptables command was executed to perform port forward, This command is uncommon for the host.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Rare iptables delete command was executed

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Low

Description

An iptables command was executed to delete rule, This command is unpopular.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


A rare iptables delete command was executed on the host

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Informational

Description

An iptables command was executed to delete rule, This command is uncommon for the host.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


A rare iptables flush all command was executed

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Low

Description

An iptables command was executed to flush all rules, This command is unpopular.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


A rare iptables flush command was executed

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Low

Description

An iptables command was executed to flush all rules, This command is unpopular.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


A rare iptables flush command was executed on the host

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Informational

Description

An iptables command was executed to flush rules, This command is uncommon for the host.

Attacker's Goals

Adding or deleting system firewalls rules to avoid possible detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.