Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).[1]
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.[2] Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.
ID | Name | Description |
---|---|---|
G0082 | APT38 |
APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.[3] |
S0031 | BACKSPACE |
The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.[4] |
S0245 | BADCALL |
BADCALL disables the Windows firewall before binding to a port.[5] |
G0008 | Carbanak |
Carbanak may use netsh to add local firewall rule exceptions.[6] |
S0492 | CookieMiner |
CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[7] |
S0687 | Cyclops Blink |
Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.[8][9] |
S0334 | DarkComet |
DarkComet can disable Security Center functions like the Windows Firewall.[10][11] |
G0035 | Dragonfly |
Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.[12] |
S0531 | Grandoreiro |
Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.[13] |
S0132 | H1N1 | |
S0246 | HARDRAIN |
HARDRAIN opens the Windows Firewall to modify incoming connections.[15] |
S0376 | HOPLIGHT | |
S0260 | InvisiMole |
InvisiMole has a command to disable routing and the Firewall on the victim’s machine.[17] |
S0088 | Kasidet |
Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.[18] |
G0094 | Kimsuky |
Kimsuky has been observed disabling the system firewall.[19] |
G0032 | Lazarus Group |
Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. [20][21][22] |
G0059 | Magic Hound |
Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - |
G1009 | Moses Staff |
Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[25] |
S0336 | NanoCore | |
S0108 | netsh |
netsh can be used to disable local firewall settings.[28][29] |
S0385 | njRAT |
njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[30][31] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.[32] |
S1032 | PyDCrypt |
PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using |
S0125 | Remsec |
Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[33] |
G0106 | Rocke |
Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[34] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used |
G0139 | TeamTNT | |
G1022 | ToddyCat |
Prior to executing a backdoor ToddyCat has run |
S0263 | TYPEFRAME |
TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[38] |
S0412 | ZxShell |
ZxShell can disable the firewall by modifying the registry key |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
M1022 | Restrict File and Directory Permissions |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
M1024 | Restrict Registry Permissions |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
M1018 | User Account Management |
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as |
DS0018 | Firewall | Firewall Disable |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
Firewall Rule Modification |
Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain. |
||
DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as |