T1562.007: Disable or Modify Cloud Firewall

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vk_cloud: PT-CR-2098: VK_Cloud_Security_Group_Rule_Operation: A user who is not on the allowed users list performed an operation with security group rules, which may indicate an attacker's attempt to change the network configuration vk_cloud: PT-CR-2099: VK_Cloud_Insecure_Address_Pairs_Assign: Traffic output from a port using mask "0.0.0.0/0" was allowed, which can be used to bypass all rules with source IP address restrictions for all ports that use the same security group. This may indicate an attacker's attempt to change the network configuration. vk_cloud: PT-CR-2097: VK_Cloud_Port_Security_Disabled: The use of security groups was disabled for a port, which may indicate an attacker's attempt to change the network configuration vk_cloud: PT-CR-2104: VK_Cloud_Port_Security_Group_Operation: Operations with port security groups that may indicate an attacker's attempt to change the network configuration

ID	Data source and component	Description
DS0018	Firewall: Firewall Disable	Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).
DS0018	Firewall: Firewall Rule Modification	Monitor cloud logs for modification or creation of new security groups or firewall rules.

Data source and component

Description

DS0018

Firewall: Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

DS0018

Firewall: Firewall Rule Modification

Monitor cloud logs for modification or creation of new security groups or firewall rules.

ID	Name	Description
M1047	Audit	Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls.
M1018	User Account Management	Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.

Name

Description

M1047

Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls.

M1018

User Account Management

Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.

T1562.007: Disable or Modify Cloud Firewall

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Detection

Mitigation