DC0051 Firewall Rule Modification
| Item | Value |
|---|---|
| ID | DC0051 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 21 October 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | AuthorizeSecurityGroupIngress |
| AWS:CloudTrail | Create egress rule allowing UDP to port 53, 123, 11211 |
| AWS:CloudTrail | Ingress rule creation or modification for security group |
| AWS:CloudTrail | New security group created with permissive rules |
| esxi:hostd | vSphere API calls modifying firewall settings |
| Firewall Audit Logs | Config Change |
| Firewall Audit Logs | Outbound NAT Rule Changes |
| linux:syslog | iptables or nftables rule changes |
| networkdevice:cli | firewall disable commands or suspicious ACL modifications |
| networkdevice:Firewall | update_rule: Access control or NAT rule modified or disabled outside maintenance window |
| NSM:Firewall | Policy Change / Rule Update |
| NSM:Firewall | rule_modification: New or modified firewall rules related to wireless interfaces |
| WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | new rule allowing inbound or outbound connections for remote desktop software |
| WinEventLog:Security | Firewall Rule Modification |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0049 | Behavioral Detection of Network History and Configuration Tampering | T1070.007 |
| DET0145 | Detection of Disabled or Modified System Firewalls across OS Platforms. | T1562.004 |
| DET0445 | Detection of Proxy Infrastructure Setup and Traffic Bridging | T1090 |
| DET0424 | Detection Strategy for Disable or Modify Cloud Firewall | T1562.007 |
| DET0173 | Detection Strategy for Endpoint DoS via Service Exhaustion Flood | T1499.002 |
| DET0317 | Detection Strategy for Impair Defenses Across Platforms | T1562 |
| DET0408 | Detection Strategy for Reflection Amplification DoS (T1498.002) | T1498.002 |
| DET0536 | Detection Strategy for Wi-Fi Networks | T1669 |
| DET0325 | External Proxy Behavior via Outbound Relay to Intermediate Infrastructure | T1090.002 |
| DET0075 | Internal Proxy Behavior via Lateral Host-to-Host C2 Relay | T1090.001 |
| DET0259 | Remote Desktop Software Execution and Beaconing Detection | T1219.002 |
| DET0306 | Unauthorized Network Firewall Rule Modification (T1562.013) | T1562.013 |