Firewall

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules[1]

ID: DS0018
Platforms: ESXi, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.1
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Firewall: Firewall Disable

The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:

  • Disabling Host-Based Firewalls: Stopping the Windows Defender Firewall service or using iptables -F to flush all rules on a Linux system.
  • Cloud Firewall Modification or Deactivation: Modifying or deleting security group rules in AWS or disabling a network firewall in Azure.
  • Activity Log Deletion: Writing or deleting entries in Azure Firewall Activity Logs to hide unauthorized firewall changes.
  • Temporary Disable for Malicious Operations: Temporarily disabling a firewall to allow malicious files or traffic, then re-enabling it to avoid detection.
  • Using Command-Line Tools to Stop Firewalls: Running commands like Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw on Linux.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:
    • Enable logging of administrative actions, such as stopping or modifying Azure Firewall configurations.
    • Use Azure Monitor to track specific firewall-related actions, including disabling or rule deletion.
  • AWS CloudTrail Logs:
    • Monitor RevokeSecurityGroupIngress or RevokeSecurityGroupEgress events to detect rule changes in AWS Security Groups.
  • Google Cloud Platform Logs:
    • Collect logs from the Firewall Rules resource in Google Cloud Operations Suite to detect rule deletions or modifications.

Host-Level Firewalls

  • Windows Firewall Event Logs:
    • Enable logging of firewall state changes:
      • Security Event ID 2004: Firewall service stopped.
      • Security Event ID 2005: Firewall service started.
    • Use Sysmon for process creation events tied to firewall commands or scripts (Sysmon Event ID 1).
  • Linux Firewall Logs: Use auditd to track commands like iptables, firewalld, or ufw: auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
  • macOS Firewall: Monitor changes to the macOS Application Firewall using the log show command.

Network-Level Monitoring

  • IDS/IPS Alerts: Deploy IDS/IPS systems to monitor abnormal traffic flows that could indicate firewall disablement.
  • NetFlow Data: Analyze NetFlow or packet capture data for traffic patterns inconsistent with firewall enforcement.

SIEM and CSPM Tools

  • SIEM Integration: Use tools like Splunk or QRadar to centralize and analyze firewall disablement events from both hosts and cloud platforms.
  • Cloud Security Posture Management (CSPM): Use CSPM solutions to monitor misconfigurations and track deactivation of critical cloud services like firewalls.

Firewall: Firewall Disable

The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:

  • Disabling Host-Based Firewalls: Stopping the Windows Defender Firewall service or using iptables -F to flush all rules on a Linux system.
  • Cloud Firewall Modification or Deactivation: Modifying or deleting security group rules in AWS or disabling a network firewall in Azure.
  • Activity Log Deletion: Writing or deleting entries in Azure Firewall Activity Logs to hide unauthorized firewall changes.
  • Temporary Disable for Malicious Operations: Temporarily disabling a firewall to allow malicious files or traffic, then re-enabling it to avoid detection.
  • Using Command-Line Tools to Stop Firewalls: Running commands like Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw on Linux.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:
    • Enable logging of administrative actions, such as stopping or modifying Azure Firewall configurations.
    • Use Azure Monitor to track specific firewall-related actions, including disabling or rule deletion.
  • AWS CloudTrail Logs:
    • Monitor RevokeSecurityGroupIngress or RevokeSecurityGroupEgress events to detect rule changes in AWS Security Groups.
  • Google Cloud Platform Logs:
    • Collect logs from the Firewall Rules resource in Google Cloud Operations Suite to detect rule deletions or modifications.

Host-Level Firewalls

  • Windows Firewall Event Logs:
    • Enable logging of firewall state changes:
      • Security Event ID 2004: Firewall service stopped.
      • Security Event ID 2005: Firewall service started.
    • Use Sysmon for process creation events tied to firewall commands or scripts (Sysmon Event ID 1).
  • Linux Firewall Logs: Use auditd to track commands like iptables, firewalld, or ufw: auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
  • macOS Firewall: Monitor changes to the macOS Application Firewall using the log show command.

Network-Level Monitoring

  • IDS/IPS Alerts: Deploy IDS/IPS systems to monitor abnormal traffic flows that could indicate firewall disablement.
  • NetFlow Data: Analyze NetFlow or packet capture data for traffic patterns inconsistent with firewall enforcement.

SIEM and CSPM Tools

  • SIEM Integration: Use tools like Splunk or QRadar to centralize and analyze firewall disablement events from both hosts and cloud platforms.
  • Cloud Security Posture Management (CSPM): Use CSPM solutions to monitor misconfigurations and track deactivation of critical cloud services like firewalls.
Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

.004 Disable or Modify System Firewall

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

.007 Disable or Modify Cloud Firewall

Monitor for changes in the status of the cloud firewall.

Firewall: Firewall Enumeration

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:

  • Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all.
  • Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS.
  • Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API.Identifying Misconfigurations: Extracting firewall rules to identify "allow all" policies or rules that lack logging.
  • Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for az network firewall commands.
  • AWS CloudTrail: Monitor calls to DescribeSecurityGroups or DescribeNetworkAcls APIs.Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list or API calls to firewalls.list.

Host-Based Firewalls

  • Windows Event Logs: Use PowerShell transcription logs to capture commands like Get-NetFirewallRule.
  • Linux Auditd: Track executions of commands like iptables -L or ufw status using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
  • macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools.

SIEM Integration

  • Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity.

Endpoint Detection and Response (EDR)

  • Use EDR tools to track enumeration commands or API calls performed on managed devices.

CSPM Tools

  • Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.

Firewall: Firewall Enumeration

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:

  • Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all.
  • Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS.
  • Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API.Identifying Misconfigurations: Extracting firewall rules to identify "allow all" policies or rules that lack logging.
  • Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for az network firewall commands.
  • AWS CloudTrail: Monitor calls to DescribeSecurityGroups or DescribeNetworkAcls APIs.Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list or API calls to firewalls.list.

Host-Based Firewalls

  • Windows Event Logs: Use PowerShell transcription logs to capture commands like Get-NetFirewallRule.
  • Linux Auditd: Track executions of commands like iptables -L or ufw status using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
  • macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools.

SIEM Integration

  • Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity.

Endpoint Detection and Response (EDR)

  • Use EDR tools to track enumeration commands or API calls performed on managed devices.

CSPM Tools

  • Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.
Domain ID Name Detects
Enterprise T1518 Software Discovery

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

.001 Security Software Discovery

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Firewall: Firewall Metadata

Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:

  • Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment."
  • Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers."
  • Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates."
  • Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com."
  • Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports.
  • Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall.
    • Example: az network firewall show --name <firewall-name>
  • AWS: Use AWS CloudTrail and describe commands: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract metadata: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows: Use PowerShell to gather metadata: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux: Query iptables or nftables rulesets: iptables -S
  • macOS: Use pfctl to extract metadata: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances.

API Monitoring

  • Monitor API calls for metadata requests. Example (AWS): Capture DescribeSecurityGroups or DescribeNetworkAcls calls via CloudTrail.

Endpoint Detection and Response (EDR)

  • Use EDR solutions to monitor firewall management tools for configuration changes or queries.

Firewall: Firewall Metadata

Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:

  • Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment."
  • Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers."
  • Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates."
  • Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com."
  • Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports.
  • Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall.
    • Example: az network firewall show --name <firewall-name>
  • AWS: Use AWS CloudTrail and describe commands: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract metadata: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows: Use PowerShell to gather metadata: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux: Query iptables or nftables rulesets: iptables -S
  • macOS: Use pfctl to extract metadata: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances.

API Monitoring

  • Monitor API calls for metadata requests. Example (AWS): Capture DescribeSecurityGroups or DescribeNetworkAcls calls via CloudTrail.

Endpoint Detection and Response (EDR)

  • Use EDR solutions to monitor firewall management tools for configuration changes or queries.
Domain ID Name Detects
Enterprise T1518 Software Discovery

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

.001 Security Software Discovery

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

Firewall: Firewall Rule Modification

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

  • Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
  • Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
  • Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
  • Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
  • Platform-Specific Scenarios
    • Azure: Altering rules in an Azure Network Security Group (NSG).
    • AWS: Modifying Security Group rules to allow traffic.
    • Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Collect rule modification logs from Azure Firewall Activity Logs.
    • Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
  • AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions. Example: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows:
    • Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
    • Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux:
    • Monitor iptables or nftables rule modifications: iptables -L -v
    • Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
  • macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

  • Monitor API calls for firewall rule modifications.

Firewall: Firewall Rule Modification

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

  • Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
  • Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
  • Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
  • Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
  • Platform-Specific Scenarios
    • Azure: Altering rules in an Azure Network Security Group (NSG).
    • AWS: Modifying Security Group rules to allow traffic.
    • Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Collect rule modification logs from Azure Firewall Activity Logs.
    • Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
  • AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions. Example: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows:
    • Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
    • Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux:
    • Monitor iptables or nftables rule modifications: iptables -L -v
    • Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
  • macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

  • Monitor API calls for firewall rule modifications.
Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.004 Disable or Modify System Firewall

Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain.

.007 Disable or Modify Cloud Firewall

Monitor cloud logs for modification or creation of new security groups or firewall rules. For example, in AWS environments, monitor for the AuthorizeSecurityGroupIngress API call in CloudTrail and use AWS Config to monitor changes the configuration of a Virtual Private Cloud (VPC) Security Group.[2]

Analytic 1 - Operations performed by unexpected initiators, unusual rule names, frequent modifications

index="azure_activity_logs" OperationName="Create or Update Security Rule"| stats count by InitiatorName, Resource| where Resource LIKE "Microsoft.Network/networkSecurityGroups/securityRules" AND (Status!="Succeeded" OR InitiatorName!="expected_initiator")| sort by Time

Enterprise T1070 Indicator Removal

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

.007 Clear Network Connection History and Configurations

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

Enterprise T1669 Wi-Fi Networks

Monitor for changes made to firewall rules for unexpected modifications to allow specific network traffic that may maliciously modify components of a victim environment in order to move laterally.

References