T1562.004: Disable or Modify System Firewall
| View on MITRE ATT&CK | T1562.004 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Disable Security Software (CAPEC-578) |
Data from MITRE ATT&CK®:
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Firewall Disable (Firewall)
Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Firewall Rule Modification (Firewall)
Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
ESXi - Disable Firewall via Esxcli
LockBit Black - Unusual Windows firewall registry modification -cmd
Disable iptables
Stop/Start UFW firewall systemctl
Add and delete Packet Filter rules
Turn off UFW logging
Set a firewall rule using New-NetFirewallRule
Disable Microsoft Defender Firewall
Edit UFW firewall ufw.conf file
Modify/delete iptables firewall rules
Allow SMB and RDP on Microsoft Defender Firewall
Edit UFW firewall sysctl.conf file
Stop/Start Packet Filter
Edit UFW firewall user.rules file
Open a local port through Windows Firewall to any profile
Opening ports for proxy - HARDRAIN
Stop/Start UFW firewall
Disable Microsoft Defender Firewall via Registry
Tail the UFW firewall log file
LockBit Black - Unusual Windows firewall registry modification -Powershell
Allow Executable Through Firewall Located in Non-Standard Location
Add and delete UFW firewall rules
Edit UFW firewall main configuration file
Blackbit - Disable Windows Firewall using netsh firewall
Sigma Detections for this Technique
Disable System Firewall
All Rules Have Been Deleted From The Windows Firewall Configuration
A Rule Has Been Deleted From The Windows Firewall Exception List
The Windows Defender Firewall Service Failed To Load Group Policy
RDP Connection Allowed Via Netsh.EXE
Firewall Disabled via Netsh.EXE
Firewall Rule Deleted Via Netsh.EXE
Modify System Firewall
Disable Windows Firewall by Registry
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Disabling Security Tools - Builtin
Ufw Force Stop Using Ufw-Init
Bpfdoor TCP Ports Redirect
Flush Iptables Ufw Chain
Azure Firewall Modified or Deleted
Azure Firewall Rule Collection Modified or Deleted
New Firewall Rule Added Via Netsh.EXE
Netsh Allow Group Policy on Microsoft Defender Firewall
Windows Firewall Settings Have Been Changed
Disable Microsoft Defender Firewall via Registry
Windows Firewall Profile Disabled
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Windows Defender Firewall Has Been Reset To Its Default Configuration
Uncommon New Firewall Rule Added In Windows Firewall Exception List
Disabling Security Tools
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.