Skip to content

T1562.004 Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).1

Item Value
ID T1562.004
Sub-techniques T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 21 February 2020
Last Modified 28 February 2023

Procedure Examples

ID Name Description
G0082 APT38 APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.34
S0031 BACKSPACE The “ZR” variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.23
S0245 BADCALL BADCALL disables the Windows firewall before binding to a port.4
G0008 Carbanak Carbanak may use netsh to add local firewall rule exceptions.33
S0492 CookieMiner CookieMiner has checked for the presence of “Little Snitch”, macOS network monitoring and application firewall software, stopping and exiting if it is found.18
S0687 Cyclops Blink Cyclops Blink can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers.56
S0334 DarkComet DarkComet can disable Security Center functions like the Windows Firewall.1112
G0035 Dragonfly Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.35
S0531 Grandoreiro Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.22
S0132 H1N1 H1N1 kills and disables services for Windows Firewall.9
S0246 HARDRAIN HARDRAIN opens the Windows Firewall to modify incoming connections.13
S0376 HOPLIGHT HOPLIGHT has modified the firewall using netsh.10
S0260 InvisiMole InvisiMole has a command to disable routing and the Firewall on the victim’s machine.15
S0088 Kasidet Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.21
G0094 Kimsuky Kimsuky has been observed disabling the system firewall.26
G0032 Lazarus Group Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. 312930
G0059 Magic Hound Magic Hound has added the following rule to a victim’s Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.2827
G1009 Moses Staff Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.8
S0336 NanoCore NanoCore can modify the victim’s firewall.1920
S0108 netsh netsh can be used to disable local firewall settings.23
S0385 njRAT njRAT has modified the Windows firewall to allow itself to communicate through the firewall.1617
C0014 Operation Wocao During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.36
S1032 PyDCrypt PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using netsh.exe on remote machines.8
S0125 Remsec Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.24
G0106 Rocke Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.25
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.37
G0139 TeamTNT TeamTNT has disabled iptables.32
S0263 TYPEFRAME TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.7
S0412 ZxShell ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.14

Mitigations

ID Mitigation Description
M1047 Audit Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
M1022 Restrict File and Directory Permissions Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
M1024 Restrict Registry Permissions Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
M1018 User Account Management Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0018 Firewall Firewall Disable
DS0024 Windows Registry Windows Registry Key Modification

References


  1. The DFIR Report. (2022, March 1). “Change RDP port” #ContiLeaks. Retrieved March 1, 2022. 

  2. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. 

  3. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016. 

  4. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. 

  5. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  6. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  7. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. 

  8. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  9. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  10. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  11. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018. 

  12. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  13. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  14. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. 

  15. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  16. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  17. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. 

  18. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  19. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  20. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  21. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. 

  22. Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. 

  23. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  24. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  25. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  26. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  27. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  28. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. 

  29. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  30. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. 

  31. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016. 

  32. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  33. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  34. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  35. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.