A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules[1]
The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:
iptables -F
to flush all rules on a Linux system.Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw
on Linux.This data component can be collected through the following measures:
Cloud Control Plane
RevokeSecurityGroupIngress
or RevokeSecurityGroupEgress
events to detect rule changes in AWS Security Groups.Host-Level Firewalls
auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
Network-Level Monitoring
SIEM and CSPM Tools
The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:
iptables -F
to flush all rules on a Linux system.Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw
on Linux.This data component can be collected through the following measures:
Cloud Control Plane
RevokeSecurityGroupIngress
or RevokeSecurityGroupEgress
events to detect rule changes in AWS Security Groups.Host-Level Firewalls
auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable
Network-Level Monitoring
SIEM and CSPM Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1562 | Impair Defenses |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
|
.004 | Disable or Modify System Firewall |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
||
.007 | Disable or Modify Cloud Firewall |
Monitor for changes in the status of the cloud firewall. |
Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:
Get-NetFirewallRule
or Linux commands such as iptables -L
or firewalld --list-all
.az network firewall list
for Azure or aws ec2 describe-security-groups
for AWS.list
API method or AWS's DescribeSecurityGroups API.Identifying Misconfigurations: Extracting firewall rules to identify "allow all" policies or rules that lack logging.gcloud compute firewall-rules list
to extract firewall settings in Google Cloud.This data component can be collected through the following measures:
Cloud Control Plane
az network firewall
commands.DescribeSecurityGroups
or DescribeNetworkAcls
APIs.Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list
or API calls to firewalls.list
.Host-Based Firewalls
Get-NetFirewallRule
.iptables -L
or ufw status
using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
SIEM Integration
Endpoint Detection and Response (EDR)
CSPM Tools
Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:
Get-NetFirewallRule
or Linux commands such as iptables -L
or firewalld --list-all
.az network firewall list
for Azure or aws ec2 describe-security-groups
for AWS.list
API method or AWS's DescribeSecurityGroups API.Identifying Misconfigurations: Extracting firewall rules to identify "allow all" policies or rules that lack logging.gcloud compute firewall-rules list
to extract firewall settings in Google Cloud.This data component can be collected through the following measures:
Cloud Control Plane
az network firewall
commands.DescribeSecurityGroups
or DescribeNetworkAcls
APIs.Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list
or API calls to firewalls.list
.Host-Based Firewalls
Get-NetFirewallRule
.iptables -L
or ufw status
using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
SIEM Integration
Endpoint Detection and Response (EDR)
CSPM Tools
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1518 | Software Discovery |
Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
|
.001 | Security Software Discovery |
Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:
This data component can be collected through the following measures:
Cloud Control Plane
az network firewall show --name <firewall-name>
aws ec2 describe-security-groups
gcloud compute firewall-rules list --format=json
Host-Based Firewalls
Get-NetFirewallRule -PolicyStore PersistentStore
iptables -S
sudo pfctl -sr
SIEM Integration
API Monitoring
Capture DescribeSecurityGroups or DescribeNetworkAcls
calls via CloudTrail.Endpoint Detection and Response (EDR)
Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:
This data component can be collected through the following measures:
Cloud Control Plane
az network firewall show --name <firewall-name>
aws ec2 describe-security-groups
gcloud compute firewall-rules list --format=json
Host-Based Firewalls
Get-NetFirewallRule -PolicyStore PersistentStore
iptables -S
sudo pfctl -sr
SIEM Integration
API Monitoring
Capture DescribeSecurityGroups or DescribeNetworkAcls
calls via CloudTrail.Endpoint Detection and Response (EDR)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1518 | Software Discovery |
Monitor for contextual data about a firewall and activity around it such as name, policy, or status |
|
.001 | Security Software Discovery |
Monitor for contextual data about a firewall and activity around it such as name, policy, or status |
The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:
This data component can be collected through the following measures:
Cloud Control Plane
az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
AuthorizeSecurityGroupIngress
or RevokeSecurityGroupIngress
actions. Example: aws ec2 describe-security-groups
gcloud compute firewall-rules list --format=json
Host-Based Firewalls
Get-NetFirewallRule -PolicyStore PersistentStore
iptables -L -v
auditctl -w /etc/iptables.rules -p wa
sudo pfctl -sr
SIEM Integration
API Monitoring
The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:
This data component can be collected through the following measures:
Cloud Control Plane
az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
AuthorizeSecurityGroupIngress
or RevokeSecurityGroupIngress
actions. Example: aws ec2 describe-security-groups
gcloud compute firewall-rules list --format=json
Host-Based Firewalls
Get-NetFirewallRule -PolicyStore PersistentStore
iptables -L -v
auditctl -w /etc/iptables.rules -p wa
sudo pfctl -sr
SIEM Integration
API Monitoring
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1562 | Impair Defenses |
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
.004 | Disable or Modify System Firewall |
Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain. |
||
.007 | Disable or Modify Cloud Firewall |
Monitor cloud logs for modification or creation of new security groups or firewall rules. For example, in AWS environments, monitor for the Analytic 1 - Operations performed by unexpected initiators, unusual rule names, frequent modifications
|
||
Enterprise | T1070 | Indicator Removal |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
|
.007 | Clear Network Connection History and Configurations |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
||
Enterprise | T1669 | Wi-Fi Networks |
Monitor for changes made to firewall rules for unexpected modifications to allow specific network traffic that may maliciously modify components of a victim environment in order to move laterally. |