T1562.004: Disable or Modify System Firewall
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds. Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
remote_work: PT-CR-435: Windows_Firewall_Enable_Local_RDP: Remote access to the system via RDP was enabled mitre_attck_defense_evasion: PT-CR-1861: Firewall_Modify: Attempt to change the Windows firewall configuration web_servers_abnormal_activity: PT-CR-1972: Web_Servers_Abnormal_Activity_Defense_Evasion: An attacker can change logging parameters to hide their activity and firewall rules to advance through the network unix_mitre_attck_defense_evasion: PT-CR-1657: Unix_Firewall_Disable_Config_Modify: Firewall was disabled or its configuration was changed security_code_secret_net_lsp: PT-CR-1904: SecretNet_LSP_FW_Rule_Without_Audit_Created: A Secret Net LSP firewall rule without audit logging was created, or audit logging was disabled in a rule
Detection
| ID | DS0018 | Data source and component | Firewall: Firewall Disable | Description | Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
|---|
| ID | DS0018 | Data source and component | Firewall: Firewall Rule Modification | Description | Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as |
|---|
Mitigation
| ID | M1047 | Name | Audit | Description | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
|---|
| ID | M1018 | Name | User Account Management | Description | Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
|---|
| ID | M1024 | Name | Restrict Registry Permissions | Description | Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
|---|
| ID | M1022 | Name | Restrict File and Directory Permissions | Description | Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
|---|