T1562.004 Disable or Modify System Firewall Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let FirewallCommands = dynamic(["netsh advfirewall set", "netsh advfirewall firewall add", "netsh advfirewall firewall delete", "netsh firewall set opmode disable", "Set-NetFirewallProfile -Enabled False", "Set-NetFirewallProfile -All -Enabled False", "New-NetFirewallRule", "Remove-NetFirewallRule", "iptables -F", "iptables -X", "iptables -P INPUT ACCEPT", "iptables -P FORWARD ACCEPT", "ufw disable", "pfctl -d", "esxcli network firewall set"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (FirewallCommands)
| extend FirewallAction = case(
    ProcessCommandLine has "set allprofiles state off" or ProcessCommandLine has "opmode disable" or ProcessCommandLine has "-Enabled False" or ProcessCommandLine has "ufw disable" or ProcessCommandLine has "pfctl -d", "Firewall Disabled",
    ProcessCommandLine has "firewall add" or ProcessCommandLine has "New-NetFirewallRule", "Rule Added",
    ProcessCommandLine has "firewall delete" or ProcessCommandLine has "Remove-NetFirewallRule", "Rule Deleted",
    ProcessCommandLine has "iptables -F" or ProcessCommandLine has "iptables -X", "IPTables Flushed",
    ProcessCommandLine has "iptables -P" and ProcessCommandLine has "ACCEPT", "IPTables Policy Set to ACCEPT",
    "Other Modification")
| extend RuleDetail = extract(@"(?:rule\s+name=|--dport\s+)(\"?[^\"\s]+\"?)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FirewallAction, RuleDetail, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Firewall: Firewall Rule Modification Firewall: Firewall Disable

Required Tables

DeviceProcessEvents

False Positives

System administrators legitimately configuring firewall rules for new application deployments
Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code
Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window
Application installers that add firewall exceptions during setup (e.g., SQL Server, IIS)

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*netsh advfirewall set*state off*" OR CommandLine="*netsh advfirewall firewall add*" OR CommandLine="*netsh advfirewall firewall delete*" OR CommandLine="*netsh firewall set opmode disable*" OR CommandLine="*Set-NetFirewallProfile*Enabled*False*" OR CommandLine="*New-NetFirewallRule*" OR CommandLine="*Remove-NetFirewallRule*"))
OR
(index=wineventlog sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventCode IN (2003, 2004, 2005, 2006, 2033))
OR
(index=linux sourcetype=syslog ("iptables -F" OR "iptables -X" OR "iptables -P INPUT ACCEPT" OR "ufw disable" OR "pfctl -d"))
| eval FirewallAction=case(
    EventCode==2003, "Firewall Profile Changed",
    EventCode==2004, "Firewall Rule Added",
    EventCode==2005, "Firewall Rule Modified",
    EventCode==2006, "Firewall Rule Deleted",
    EventCode==2033, "Firewall Rule Modified (2033)",
    match(_raw, "(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)"), "Firewall Disabled",
    match(_raw, "(?i)(iptables -F|iptables -X)"), "IPTables Flushed",
    match(_raw, "(?i)iptables -P.*ACCEPT"), "IPTables Accept All",
    match(_raw, "(?i)(firewall add|New-NetFirewallRule)"), "Rule Added",
    true(), "Other")
| table _time, host, User, EventCode, FirewallAction, CommandLine, Message
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Firewall: Firewall Rule Modification Windows Firewall Event Log Linux Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall syslog

False Positives

System administrators legitimately configuring firewall rules for new application deployments
Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code
Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window
Application installers that add firewall exceptions during setup

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start" and (
    (process.name in ("netsh.exe", "cmd.exe", "powershell.exe") and (
      process.args : "*advfirewall*" and process.args : ("*set allprofiles state off*", "*opmode disable*", "*firewall add*", "*firewall delete*")
    )) or
    (process.name == "powershell.exe" and (
      process.args : "*Set-NetFirewallProfile*" and process.args : "*Enabled*False*" or
      process.args : "*New-NetFirewallRule*" or
      process.args : "*Remove-NetFirewallRule*"
    )) or
    (process.name in ("iptables", "ip6tables") and process.args : ("-F", "-X", "-P")) or
    (process.name == "ufw" and process.args : "disable") or
    (process.name == "pfctl" and process.args : "-d") or
    (process.name == "esxcli" and process.args : "*network firewall set*")
  )]
| where not (user.name in ("ansible", "chef", "puppet") and process.parent.name in ("ansible-playbook", "ruby"))

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate system administrators running firewall configuration scripts during maintenance windows or change control procedures.
Configuration management tools such as Ansible, Chef, Puppet, or SaltStack modifying firewall rules as part of automated infrastructure provisioning.
Security scanning tools or vulnerability management platforms temporarily modifying firewall rules to perform authorized network assessments.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  hostname AS HostName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  CASE
    WHEN "Command" ILIKE '%set allprofiles state off%' OR "Command" ILIKE '%opmode disable%' OR "Command" ILIKE '%-Enabled False%' OR "Command" ILIKE '%ufw disable%' OR "Command" ILIKE '%pfctl -d%' THEN 'Firewall Disabled'
    WHEN "Command" ILIKE '%firewall add%' OR "Command" ILIKE '%New-NetFirewallRule%' THEN 'Firewall Rule Added'
    WHEN "Command" ILIKE '%firewall delete%' OR "Command" ILIKE '%Remove-NetFirewallRule%' THEN 'Firewall Rule Deleted'
    WHEN "Command" ILIKE '%iptables -F%' OR "Command" ILIKE '%iptables -X%' THEN 'IPTables Flushed'
    WHEN "Command" ILIKE '%iptables -P%ACCEPT%' THEN 'IPTables Policy Set ACCEPT'
    ELSE 'Other Firewall Modification'
  END AS FirewallAction
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352)
  AND starttime > NOW() - 1 DAYS
  AND (
    "Command" ILIKE '%netsh advfirewall set%'
    OR "Command" ILIKE '%netsh advfirewall firewall add%'
    OR "Command" ILIKE '%netsh advfirewall firewall delete%'
    OR "Command" ILIKE '%netsh firewall set opmode disable%'
    OR "Command" ILIKE '%Set-NetFirewallProfile%Enabled%False%'
    OR "Command" ILIKE '%New-NetFirewallRule%'
    OR "Command" ILIKE '%Remove-NetFirewallRule%'
    OR "Command" ILIKE '%iptables -F%'
    OR "Command" ILIKE '%iptables -X%'
    OR "Command" ILIKE '%iptables -P INPUT ACCEPT%'
    OR "Command" ILIKE '%ufw disable%'
    OR "Command" ILIKE '%pfctl -d%'
    OR "Command" ILIKE '%esxcli network firewall set%'
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

QRadar Windows Sysmon DSM QRadar Linux OS DSM QRadar Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

IT operations teams executing firewall reconfiguration scripts during planned maintenance windows documented in change management systems.
Penetration testing or red team exercises conducted with written authorization against internal network segments.
Cloud or container orchestration platforms dynamically adjusting host firewall rules during scaling or deployment operations.

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="linux/syslog" OR _sourceCategory="windows/security")
| where (%"EventCode" = "1" OR %"event_id" = "1" OR %"EventCode" = "4688" OR %"sourcetype" = "linux_secure")
| where CommandLine matches /(?i)(netsh advfirewall set|netsh advfirewall firewall add|netsh advfirewall firewall delete|netsh firewall set opmode disable|Set-NetFirewallProfile.*Enabled.*False|New-NetFirewallRule|Remove-NetFirewallRule|iptables -F|iptables -X|iptables -P INPUT ACCEPT|iptables -P FORWARD ACCEPT|ufw disable|pfctl -d|esxcli network firewall set)/
| if(CommandLine matches /(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)/, "Firewall Disabled",
   if(CommandLine matches /(?i)(firewall add|New-NetFirewallRule)/, "Rule Added",
   if(CommandLine matches /(?i)(firewall delete|Remove-NetFirewallRule)/, "Rule Deleted",
   if(CommandLine matches /(?i)iptables -[FX]/, "IPTables Flushed",
   if(CommandLine matches /(?i)iptables -P.*ACCEPT/, "IPTables Policy ACCEPT",
   "Other Modification"))))) as FirewallAction
| fields _messageTime, host, User, CommandLine, FirewallAction, ParentImage
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sumo Logic Installed Collector (Linux) Sumo Logic Cloud Syslog

Required Tables

windows/sysmon linux/syslog windows/security

False Positives

Authorized firewall policy deployments by network operations teams during scheduled change windows with proper change management tickets.
DevOps CI/CD pipelines automatically configuring firewall rules on newly provisioned virtual machines or containers during infrastructure-as-code workflows.
Endpoint security products or host-based intrusion prevention systems modifying firewall rules as part of their own protection mechanisms.

Google Chronicle / SecOps

yaral

rule disable_or_modify_system_firewall {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects attempts to disable or modify system firewalls via netsh, iptables, ufw, pfctl, PowerShell cmdlets, or esxcli on Windows, Linux, or ESXi hosts."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.004"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)netsh\s+advfirewall\s+set`) or
      re.regex($e.target.process.command_line, `(?i)netsh\s+advfirewall\s+firewall\s+(add|delete)`) or
      re.regex($e.target.process.command_line, `(?i)netsh\s+firewall\s+set\s+opmode\s+disable`) or
      re.regex($e.target.process.command_line, `(?i)Set-NetFirewallProfile.{0,50}-Enabled\s+False`) or
      re.regex($e.target.process.command_line, `(?i)(New|Remove)-NetFirewallRule`) or
      re.regex($e.target.process.command_line, `(?i)iptables\s+(-F|-X|-P\s+INPUT\s+ACCEPT|-P\s+FORWARD\s+ACCEPT)`) or
      re.regex($e.target.process.command_line, `(?i)ufw\s+disable`) or
      re.regex($e.target.process.command_line, `(?i)pfctl\s+-d`) or
      re.regex($e.target.process.command_line, `(?i)esxcli\s+network\s+firewall\s+set`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $firewall_action = if(
      re.regex($e.target.process.command_line, `(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)`), "Firewall Disabled",
      re.regex($e.target.process.command_line, `(?i)(firewall add|New-NetFirewallRule)`), "Rule Added",
      re.regex($e.target.process.command_line, `(?i)(firewall delete|Remove-NetFirewallRule)`), "Rule Deleted",
      re.regex($e.target.process.command_line, `(?i)iptables -[FX]`), "IPTables Flushed",
      re.regex($e.target.process.command_line, `(?i)iptables -P.*ACCEPT`), "IPTables Policy ACCEPT",
      "Other Modification"
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Sysmon via Chronicle forwarder Linux Auditd via Chronicle forwarder CrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate use of configuration management automation (Ansible, Terraform) deploying firewall rule changes during infrastructure provisioning recorded in change management systems.
System administrators executing documented firewall policy updates during approved maintenance windows, particularly on hardened build pipelines.
Security operations center analysts intentionally disabling firewall rules on isolated sandbox machines for malware analysis or threat emulation exercises.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(netsh\s+advfirewall\s+set|netsh\s+advfirewall\s+firewall\s+(add|delete)|netsh\s+firewall\s+set\s+opmode\s+disable|Set-NetFirewallProfile.{0,60}Enabled.{0,10}False|(New|Remove)-NetFirewallRule|iptables\s+(-F|-X|-P\s+(INPUT|FORWARD)\s+ACCEPT)|ufw\s+disable|pfctl\s+-d|esxcli\s+network\s+firewall\s+set)/
| FirewallAction := if(
    CommandLine = /(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)/, "Firewall Disabled",
    CommandLine = /(?i)(firewall add|New-NetFirewallRule)/, "Rule Added",
    CommandLine = /(?i)(firewall delete|Remove-NetFirewallRule)/, "Rule Deleted",
    CommandLine = /(?i)iptables -[FX]/, "IPTables Flushed",
    CommandLine = /(?i)iptables -P.*ACCEPT/, "IPTables Policy ACCEPT",
    "Other Modification"
  )
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, FirewallAction, ParentBaseFileName, ParentCommandLine])
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2

False Positives

Authorized IT operations team members running firewall configuration scripts as part of documented change management processes, particularly on server build pipelines.
CrowdStrike Falcon sensor itself or other endpoint security agents modifying host firewall rules as part of their normal operation and self-protection mechanisms.
Software deployment systems (SCCM, Intune, Chef, Ansible) configuring host firewall rules during application installation or OS baseline hardening.

Disable or Modify System Firewall

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections