DET0306 Unauthorized Network Firewall Rule Modification (T1562.013)

Item	Value
ID	DET0306
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1562.013 (Disable or Modify Network Device Firewall)

Analytics

Network Devices

AN0855

Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.

Log Sources

Data Component	Name	Channel
Firewall Rule Modification (DC0051)	networkdevice:Firewall	update_rule: Access control or NAT rule modified or disabled outside maintenance window
Logon Session Creation (DC0067)	networkdevice:Firewall	Login from untrusted IP, or new admin account accessing firewall console/API
Command Execution (DC0064)	networkdevice:Firewall	Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config
Network Connection Creation (DC0082)	NSM:Flow	Outbound traffic spike through formerly blocked ports/subnets following config change

Mutable Elements

Field	Description
TrustedAdminIPs	Allowlisted IPs/subnets where administrative access is expected (e.g., jump box, VPN mgmt)
ConfigChangeWindow	Expected maintenance window (e.g., 02:00–04:00 UTC) to filter benign changes
RuleScopeThreshold	Number of rules affected or port ranges modified to determine severity
NewUserPrivilegeThreshold	Flag new users making changes without observed privilege elevation path