Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.[1]
Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet Exploit Public-Facing Application.[2]
| ID | Name | Description |
|---|---|---|
| G0082 | APT38 |
APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. [3] |
| S0531 | Grandoreiro |
Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. [4] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
| M1051 | Update Software |
Ensure the network firewall is up to date with security patches. |
| M1018 | User Account Management |
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0306 | Unauthorized Network Firewall Rule Modification (T1562.013) | AN0855 |
Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse. |