1. Home
  2. Detection Strategies
  3. Detection of Disabled or Modified System Firewalls across OS Platforms.

Detection of Disabled or Modified System Firewalls across OS Platforms.

Technique Detected:  Disable or Modify System Firewall | T1562.004

ID: DET0145
Domains: Enterprise
Analytics: AN0406, AN0407, AN0408, AN0409, AN0410
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0406

Detection of firewall tampering by monitoring processes executing netsh, PowerShell Set-NetFirewallProfile, or sc stop mpssvc. Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy also indicate adversarial actions.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
MonitoredCommands List of admin tools and scripts allowed to legitimately modify firewall settings.
AlertThreshold Number of firewall rule changes within a time window before triggering alert.

AN0407

Detection of iptables, nftables, or firewalld rule modifications. Correlation of sudden drops in active firewall rules with suspicious processes suggests adversarial evasion.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: iptables, nft, firewall-cmd modifications
Process Creation (DC0032) linux:osquery execution of known firewall binaries
Mutable Elements
Field Description
AllowedScripts Baseline admin scripts allowed to make firewall modifications.

AN0408

Detection of PF firewall rule modifications via pfctl, socketfilterfw, or defaults write to com.apple.alf. Adversaries often disable firewall profiles entirely or whitelist malicious processes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf
Mutable Elements
Field Description
PFConfigFiles Monitor for baseline pf.conf and custom rule file modifications.

AN0409

Detection of firewall changes using esxcli network firewall set or vSphere API modifications. Sudden disabling of firewall rules across management interfaces is a strong adversarial signal.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd esxcli network firewall set commands
Firewall Rule Modification (DC0051) esxi:hostd vSphere API calls modifying firewall settings
Mutable Elements
Field Description
APIMethods Whitelist of authorized vSphere API methods for firewall configuration.

AN0410

Detection of firewall ACL or rule base changes through CLI (e.g., no access-list, permit any any). Monitor configuration commits from unusual users or sessions.

Log Sources
Data Component Name Channel
Firewall Rule Modification (DC0051) networkdevice:cli firewall disable commands or suspicious ACL modifications
Mutable Elements
Field Description
AuthorizedAdmins List of approved admin accounts allowed to modify firewall ACLs.