EXPLORE
Sign In
← Back to Explore
T1562.004

Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would o...

ESXiLinuxmacOSNetwork DevicesWindows
45
Detections
3
Sources
17
Threat Actors

BY SOURCE

26sigma12splunk_escu7elastic

PROCEDURES (25)

General Monitoring7 detections

Auto-extracted: 7 detections for general monitoring

Process Creation Monitoring7 detections

Auto-extracted: 7 detections for process creation monitoring

Network Connection Monitoring5 detections

Auto-extracted: 5 detections for network connection monitoring

Anomal2 detections

Auto-extracted: 2 detections for anomal

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Lateral2 detections

Auto-extracted: 2 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Event Log1 detections

Auto-extracted: 1 detections for event log

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

THREAT ACTORS (17)

APT38BlackByteCarbanakDragonflyFIN7KimsukyLazarus GroupMagic HoundMedusa GroupMoses StaffOilRigRockeSalt TyphoonTeamTNTToddyCatUNC3886Velvet Ant

DETECTIONS (45)

A Rule Has Been Deleted From The Windows Firewall Exception List
sigmamedium
All Rules Have Been Deleted From The Windows Firewall Configuration
sigmahigh
Attempt to Disable IPTables or Firewall
elasticmedium
Azure Firewall Modified or Deleted
sigmamedium
Azure Firewall Rule Collection Modified or Deleted
sigmamedium
Bpfdoor TCP Ports Redirect
sigmamedium
Disable Microsoft Defender Firewall via Registry
sigmamedium
Disable System Firewall
sigmahigh
Disable Windows Firewall by Registry
sigmamedium
Disable Windows Firewall Rules via Netsh
elasticmedium
Disabling Security Tools
sigmamedium
Disabling Security Tools - Builtin
sigmamedium
Enable Host Network Discovery via Netsh
elasticmedium
ESXi Firewall Disabled
splunk_escu
Firewall Allowed Program Enable
splunk_escu
Firewall Disabled via Netsh.EXE
sigmamedium
Firewall Rule Deleted Via Netsh.EXE
sigmamedium
Flush Iptables Ufw Chain
sigmamedium
FortiGate Overly Permissive Firewall Policy Created
elastichigh
Linux Auditd Disable Or Modify System Firewall
splunk_escu
Linux Iptables Firewall Modification
splunk_escu
Linux Stdout Redirection To Dev Null File
splunk_escu
Microsoft Intune DeviceManagementConfigurationPolicies
splunk_escu
Modify System Firewall
sigmamedium
Netsh Allow Group Policy on Microsoft Defender Firewall
sigmamedium
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
sigmahigh
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
sigmamedium
New Firewall Rule Added Via Netsh.EXE
sigmamedium
Potential Evasion via Windows Filtering Platform
elasticmedium
Processes launching netsh
splunk_escu
RDP Connection Allowed Via Netsh.EXE
sigmahigh
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
sigmahigh
The Windows Defender Firewall Service Failed To Load Group Policy
sigmalow
Ufw Force Stop Using Ufw-Init
sigmamedium
Uncommon New Firewall Rule Added In Windows Firewall Exception List
sigmamedium
Windows Defender Firewall Has Been Reset To Its Default Configuration
sigmalow
Windows Delete or Modify System Firewall
splunk_escu
Windows Firewall Disabled via PowerShell
elasticmedium
Windows Firewall Profile Disabled
sigmamedium
Windows Firewall Rule Added
splunk_escu
Windows Firewall Rule Deletion
splunk_escu
Windows Firewall Rule Modification
splunk_escu
Windows Firewall Settings Have Been Changed
sigmalow
Windows Modify System Firewall with Notable Process Path
splunk_escu