T1562.004 IBM QRadar · QRadar

Detect Disable or Modify System Firewall in IBM QRadar

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done via command-line tools (netsh, iptables, ufw, pfctl), editing Windows Registry keys, or through the Windows Control Panel. On ESXi, firewall rules may be modified via esxcli. Adversaries may add new firewall rules for RDP on non-standard ports or open all traffic to enable C2, lateral movement, and data exfiltration.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.004 Disable or Modify System Firewall
Canonical reference
https://attack.mitre.org/techniques/T1562/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  hostname AS HostName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  CASE
    WHEN "Command" ILIKE '%set allprofiles state off%' OR "Command" ILIKE '%opmode disable%' OR "Command" ILIKE '%-Enabled False%' OR "Command" ILIKE '%ufw disable%' OR "Command" ILIKE '%pfctl -d%' THEN 'Firewall Disabled'
    WHEN "Command" ILIKE '%firewall add%' OR "Command" ILIKE '%New-NetFirewallRule%' THEN 'Firewall Rule Added'
    WHEN "Command" ILIKE '%firewall delete%' OR "Command" ILIKE '%Remove-NetFirewallRule%' THEN 'Firewall Rule Deleted'
    WHEN "Command" ILIKE '%iptables -F%' OR "Command" ILIKE '%iptables -X%' THEN 'IPTables Flushed'
    WHEN "Command" ILIKE '%iptables -P%ACCEPT%' THEN 'IPTables Policy Set ACCEPT'
    ELSE 'Other Firewall Modification'
  END AS FirewallAction
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352)
  AND starttime > NOW() - 1 DAYS
  AND (
    "Command" ILIKE '%netsh advfirewall set%'
    OR "Command" ILIKE '%netsh advfirewall firewall add%'
    OR "Command" ILIKE '%netsh advfirewall firewall delete%'
    OR "Command" ILIKE '%netsh firewall set opmode disable%'
    OR "Command" ILIKE '%Set-NetFirewallProfile%Enabled%False%'
    OR "Command" ILIKE '%New-NetFirewallRule%'
    OR "Command" ILIKE '%Remove-NetFirewallRule%'
    OR "Command" ILIKE '%iptables -F%'
    OR "Command" ILIKE '%iptables -X%'
    OR "Command" ILIKE '%iptables -P INPUT ACCEPT%'
    OR "Command" ILIKE '%ufw disable%'
    OR "Command" ILIKE '%pfctl -d%'
    OR "Command" ILIKE '%esxcli network firewall set%'
  )
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

Detects firewall disablement or modification events by querying QRadar process execution logs for command-line patterns associated with netsh, PowerShell firewall cmdlets, iptables, ufw, pfctl, and esxcli. Categorizes the action type for analyst triage.

Data Sources

QRadar Windows Sysmon DSMQRadar Linux OS DSMQRadar Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • IT operations teams executing firewall reconfiguration scripts during planned maintenance windows documented in change management systems.
  • Penetration testing or red team exercises conducted with written authorization against internal network segments.
  • Cloud or container orchestration platforms dynamically adjusting host firewall rules during scaling or deployment operations.
Download portable Sigma rule (.yml)

Other platforms for T1562.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Windows Firewall All Profiles

    Expected signal: Sysmon Event ID 1: netsh.exe process creation. Windows Firewall Event ID 2003: Firewall profile changed. Each profile state change generates a separate event.

  2. Test 2Add Firewall Rule for RDP on Non-Standard Port

    Expected signal: Sysmon Event ID 1: netsh.exe with 'firewall add rule'. Windows Firewall Event ID 2004: A rule has been added.

  3. Test 3Flush IPTables Rules on Linux

    Expected signal: Auditd execve syscall records for iptables. Syslog entries for iptables commands. MDE DeviceProcessEvents if MDE for Linux is deployed.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1562.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.007Disable or Modify Cloud FirewallT1562.013Disable or Modify Network Device FirewallT1021.001Remote Desktop ProtocolT1571Non-Standard PortT1112Modify Registry

Same Tactic: Defense Evasion

Popular Detections