Disable or Modify System Firewall
Disable or Modify System Firewall [T1562.004]
Last updated
Disable or Modify System Firewall [T1562.004]
Last updated
Name: Disable or Modify System Firewall
ID: T1562.004
Tactics:
Technique:
The MITRE ATT&CK sub-technique "Disable or Modify System Firewall" (T1562.004) refers to adversary actions aimed at disabling, weakening, or modifying firewall rules or configurations. Firewalls play a critical role in network security by restricting unauthorized access and network traffic. Attackers often target firewall settings to bypass network defenses, facilitate lateral movement, establish persistence, or exfiltrate sensitive data undetected. Understanding this sub-technique is essential for organizations aiming to strengthen their security posture and proactively detect unauthorized firewall modifications.
Adversaries employ various methods to disable or modify system firewalls depending on their objectives, target systems, and available privileges. Common technical approaches include:
Command-line Tools:
Windows:
netsh advfirewall set allprofiles state off disables the Windows Defender Firewall on all profiles.
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False (PowerShell) disables firewall profiles.
Linux:
iptables -F flushes all firewall rules, effectively disabling firewall protection.
ufw disable disables Uncomplicated Firewall (UFW) on Debian-based Linux distributions.
Registry Modification (Windows):
Attackers can directly alter registry keys to disable firewall settings, such as:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
Setting the registry value to 0 disables firewall protection.
Group Policy Modification (Windows):
Attackers may manipulate Group Policy Objects (GPOs) to disable firewall protections across multiple endpoints or domain-wide.
Configuration File Manipulation (Linux/Unix):
Editing firewall configuration files directly, such as /etc/sysconfig/iptables or /etc/firewalld/firewalld.conf, to disable or weaken firewall protections.
Third-party Firewall Software Manipulation:
Attackers may disable or modify configurations of third-party firewall solutions (e.g., Symantec, McAfee, Palo Alto Networks) to evade detection and facilitate unauthorized access.
Privilege Escalation and Persistence:
Attackers typically require administrative privileges to disable or modify firewall settings. Achieving privilege escalation is often a prerequisite for executing this sub-technique.
Disabling firewall rules can help attackers maintain persistent access, evade detection, and facilitate lateral movement within compromised environments.
Attackers commonly disable or modify system firewalls at various stages of a cyberattack lifecycle, including:
Initial Access and Exploitation:
Immediately after gaining administrative privileges, attackers may disable firewall protections to facilitate remote command-and-control (C2) communications.
Lateral Movement:
Attackers modify firewall rules to permit lateral movement within internal networks, bypassing internal segmentation controls.
Persistence:
Disabling firewall protections can help attackers maintain persistent and undetected access to compromised systems.
Defense Evasion:
Attackers modify or disable firewall rules to evade detection by security monitoring tools, intrusion detection/prevention systems (IDS/IPS), and network monitoring solutions.
Data Exfiltration:
Attackers may weaken firewall restrictions to facilitate stealthy exfiltration of sensitive data over unauthorized protocols or ports.
Organizations can employ several detection methods and tools to identify unauthorized firewall modifications or disablement:
Monitoring and Logging:
Enable detailed firewall logging and monitor logs for unauthorized rule changes or firewall disablement events.
Regularly review system and security event logs for suspicious firewall-related events, such as event IDs:
Windows Event ID 2003: Indicates firewall rule modification.
Windows Event ID 2004: Indicates firewall rule deletion.
Windows Event ID 5025: Indicates firewall service stopped.
Host-based Intrusion Detection Systems (HIDS):
Deploy HIDS (e.g., OSSEC, Wazuh) to monitor critical system files, registry entries, and firewall configuration files for unauthorized changes.
Endpoint Detection and Response (EDR) Solutions:
Utilize EDR tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black) to detect and alert on suspicious command-line activities, registry modifications, or unauthorized firewall configuration changes.
Configuration Management and Integrity Monitoring:
Implement file integrity monitoring (FIM) solutions to monitor firewall configuration files and registry keys for unauthorized modifications.
Behavioral Analytics and SIEM Correlation:
Integrate firewall logs, endpoint telemetry, and event logs into Security Information and Event Management (SIEM) platforms for correlation and alerting on anomalous firewall-related activities.
Unusual firewall rules permitting previously blocked traffic.
Disabled firewall services or profiles.
Unauthorized registry modifications affecting firewall configurations.
Unexpected firewall configuration file edits or deletions.
Presence of suspicious scripts or scheduled tasks designed to disable firewall protections.
Detecting unauthorized firewall modifications or disablement is crucial due to the significant impact on organizational security, including:
Reduced Network Security Posture:
Firewall disablement or rule modifications weaken network defenses, allowing attackers unrestricted access and facilitating lateral movement.
Facilitated Persistence and Command-and-Control (C2):
Attackers exploit weakened firewall protections to maintain persistent and undetected access to compromised systems, enabling sustained malicious activities or data exfiltration.
Increased Risk of Data Exfiltration:
Disabled or modified firewall rules significantly increase the risk of sensitive data exfiltration over unauthorized channels, protocols, or ports.
Reduced Visibility and Detection Capabilities:
Firewall disablement or rule modifications impair security monitoring and detection capabilities, allowing attackers to evade detection by IDS/IPS and network monitoring tools.
Compliance and Regulatory Risks:
Unauthorized firewall modifications may lead to non-compliance with regulatory standards (e.g., PCI DSS, HIPAA, GDPR), exposing organizations to legal, financial, and reputational risks.
Early detection of this sub-technique enables rapid incident response, containment of threats, and mitigation of potential impacts.
Real-world examples of attacks involving disabling or modifying system firewalls include:
APT41 (Winnti Group):
Known to disable Windows Firewall using command-line tools (netsh) and modify firewall rules to facilitate lateral movement, persistence, and exfiltration of sensitive data.
FIN7 (Carbanak Group):
Observed modifying firewall rules to bypass network segmentation controls, enabling lateral movement and data exfiltration from compromised financial institutions.
Lazarus Group:
Utilized malicious scripts and commands to disable firewall protections on compromised endpoints, facilitating persistent access and covert communication with C2 servers.
TrickBot Malware:
TrickBot operators have executed commands to disable Windows Defender Firewall, facilitating lateral movement, ransomware deployment (e.g., Ryuk), and data exfiltration.
Ryuk Ransomware:
Ryuk ransomware operators frequently disable firewall protections to facilitate lateral movement, propagation, and ransomware deployment across compromised networks.
Attackers typically utilize built-in system tools (netsh, PowerShell, iptables) or custom scripts to disable or modify firewall protections, emphasizing the importance of monitoring these activities closely and proactively.