EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Linux Iptables Firewall Modification

The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.

MITRE ATT&CK

T1562.004

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where

Processes.process = "*iptables *"
Processes.process = "* --dport *"
Processes.process = "* ACCEPT*"
Processes.process = "*&>/dev/null*"
Processes.process = "* tcp *"
NOT Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product

| rex field=Processes.process "--dport (?<port>3269|636|989|994|995|8443)"
| stats values(Processes.process) as processes_exec
        values(port) as ports
        values(Processes.process_guid) as guids
        values(Processes.process_id) as pids
        dc(port) as port_count
        count by Processes.process_name Processes.parent_process_name
                 Processes.parent_process_id Processes.dest Processes.user
                 Processes.parent_process_path Processes.process_path
| where port_count >=3
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_iptables_firewall_modification_filter`

Author

Teoderick Contreras, Splunk

Created

2026-03-10

Data Sources

Sysmon for Linux EventID 1

References

Tags

China-Nexus Threat ActivityBackdoor PingpongCyclops BlinkSandworm Tools
Raw Content
name: Linux Iptables Firewall Modification
id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7
version: 13
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects suspicious command-line activity that modifies the iptables firewall settings on a Linux machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command patterns that alter firewall rules to accept traffic on certain TCP ports. This activity is significant as it can indicate malware, such as CyclopsBlink, modifying firewall settings to allow communication with a Command and Control (C2) server. If confirmed malicious, this could enable attackers to maintain persistent access and exfiltrate data, posing a severe security risk.
data_source:
    - Sysmon for Linux EventID 1
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes where

    Processes.process = "*iptables *"
    Processes.process = "* --dport *"
    Processes.process = "* ACCEPT*"
    Processes.process = "*&amp;&gt;/dev/null*"
    Processes.process = "* tcp *"
    NOT Processes.parent_process_path IN("/bin/*", "/lib/*", "/usr/bin/*", "/sbin/*")

    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path Processes.process
       Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
       Processes.process_integrity_level Processes.process_name Processes.process_path
       Processes.user Processes.user_id Processes.vendor_product

    | rex field=Processes.process "--dport (?<port>3269|636|989|994|995|8443)"
    | stats values(Processes.process) as processes_exec
            values(port) as ports
            values(Processes.process_guid) as guids
            values(Processes.process_id) as pids
            dc(port) as port_count
            count by Processes.process_name Processes.parent_process_name
                     Processes.parent_process_id Processes.dest Processes.user
                     Processes.parent_process_path Processes.process_path
    | where port_count >=3
    | `drop_dm_object_name(Processes)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `linux_iptables_firewall_modification_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: administrator may do this commandline for auditing and testing purposes. In this scenario filter is needed.
references:
    - https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A process name - $process_name$ that may modify iptables firewall on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - China-Nexus Threat Activity
        - Backdoor Pingpong
        - Cyclops Blink
        - Sandworm Tools
    asset_type: Endpoint
    mitre_attack_id:
        - T1562.004
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log
          source: Syslog:Linux-Sysmon/Operational
          sourcetype: sysmon:linux