Which SIEM platforms have a T1562.004 detection rule?

df00tech provides T1562.004 (Disable or Modify System Firewall) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Disable or Modify System Firewall (T1562.004)?

Detecting Disable or Modify System Firewall requires the following data sources: Process: Process Creation, Command: Command Execution, Firewall: Firewall Rule Modification, Firewall: Firewall Disable.

What severity and confidence is the T1562.004 detection?

The T1562.004 detection is rated high severity with high confidence.

What are common false positives for T1562.004?

Common false positives for T1562.004 include: System administrators legitimately configuring firewall rules for new application deployments; Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code; Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window.

T1562.004 Google Chronicle · YARA-L

Detect Disable or Modify System Firewall in Google Chronicle

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done via command-line tools (netsh, iptables, ufw, pfctl), editing Windows Registry keys, or through the Windows Control Panel. On ESXi, firewall rules may be modified via esxcli. Adversaries may add new firewall rules for RDP on non-standard ports or open all traffic to enable C2, lateral movement, and data exfiltration.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1562 Impair Defenses
Sub-technique: T1562.004 Disable or Modify System Firewall
Canonical reference: https://attack.mitre.org/techniques/T1562/004/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule disable_or_modify_system_firewall {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects attempts to disable or modify system firewalls via netsh, iptables, ufw, pfctl, PowerShell cmdlets, or esxcli on Windows, Linux, or ESXi hosts."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.004"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)netsh\s+advfirewall\s+set`) or
      re.regex($e.target.process.command_line, `(?i)netsh\s+advfirewall\s+firewall\s+(add|delete)`) or
      re.regex($e.target.process.command_line, `(?i)netsh\s+firewall\s+set\s+opmode\s+disable`) or
      re.regex($e.target.process.command_line, `(?i)Set-NetFirewallProfile.{0,50}-Enabled\s+False`) or
      re.regex($e.target.process.command_line, `(?i)(New|Remove)-NetFirewallRule`) or
      re.regex($e.target.process.command_line, `(?i)iptables\s+(-F|-X|-P\s+INPUT\s+ACCEPT|-P\s+FORWARD\s+ACCEPT)`) or
      re.regex($e.target.process.command_line, `(?i)ufw\s+disable`) or
      re.regex($e.target.process.command_line, `(?i)pfctl\s+-d`) or
      re.regex($e.target.process.command_line, `(?i)esxcli\s+network\s+firewall\s+set`)
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $firewall_action = if(
      re.regex($e.target.process.command_line, `(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)`), "Firewall Disabled",
      re.regex($e.target.process.command_line, `(?i)(firewall add|New-NetFirewallRule)`), "Rule Added",
      re.regex($e.target.process.command_line, `(?i)(firewall delete|Remove-NetFirewallRule)`), "Rule Deleted",
      re.regex($e.target.process.command_line, `(?i)iptables -[FX]`), "IPTables Flushed",
      re.regex($e.target.process.command_line, `(?i)iptables -P.*ACCEPT`), "IPTables Policy ACCEPT",
      "Other Modification"
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Chronicle YARA-L 2.0 rule detecting firewall disablement or modification via process launches containing firewall management command patterns across Windows (netsh, PowerShell) and Linux/BSD (iptables, ufw, pfctl) and VMware ESXi (esxcli). Outputs categorized firewall action type for triage.

Data Sources

Google Chronicle UDMWindows Sysmon via Chronicle forwarderLinux Auditd via Chronicle forwarderCrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

Legitimate use of configuration management automation (Ansible, Terraform) deploying firewall rule changes during infrastructure provisioning recorded in change management systems.
System administrators executing documented firewall policy updates during approved maintenance windows, particularly on hardened build pipelines.
Security operations center analysts intentionally disabling firewall rules on isolated sandbox machines for malware analysis or threat emulation exercises.

Download portable Sigma rule (.yml)

Other platforms for T1562.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Disable Windows Firewall All Profiles
Expected signal: Sysmon Event ID 1: netsh.exe process creation. Windows Firewall Event ID 2003: Firewall profile changed. Each profile state change generates a separate event.
Test 2Add Firewall Rule for RDP on Non-Standard Port
Expected signal: Sysmon Event ID 1: netsh.exe with 'firewall add rule'. Windows Firewall Event ID 2004: A rule has been added.
Test 3Flush IPTables Rules on Linux
Expected signal: Auditd execve syscall records for iptables. Syslog entries for iptables commands. MDE DeviceProcessEvents if MDE for Linux is deployed.

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Disable or Modify System Firewall in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562.004

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562.004

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox