|T1562.001||Disable or Modify Tools|
|T1562.002||Disable Windows Event Logging|
|T1562.003||Impair Command History Logging|
|T1562.004||Disable or Modify System Firewall|
|T1562.007||Disable or Modify Cloud Firewall|
|T1562.008||Disable or Modify Cloud Logs|
|T1562.009||Safe Mode Boot|
|T1562.011||Spoof Security Alerting|
|T1562.012||Disable or Modify Linux Audit System|
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).
The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.
Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic -
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
|M1022||Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|M1024||Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|M1018||User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).
|Firewall Rule Modification||
Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain.
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.