T1562.004 Microsoft Sentinel · KQL

Detect Disable or Modify System Firewall in Microsoft Sentinel

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done via command-line tools (netsh, iptables, ufw, pfctl), editing Windows Registry keys, or through the Windows Control Panel. On ESXi, firewall rules may be modified via esxcli. Adversaries may add new firewall rules for RDP on non-standard ports or open all traffic to enable C2, lateral movement, and data exfiltration.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.004 Disable or Modify System Firewall
Canonical reference
https://attack.mitre.org/techniques/T1562/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let FirewallCommands = dynamic(["netsh advfirewall set", "netsh advfirewall firewall add", "netsh advfirewall firewall delete", "netsh firewall set opmode disable", "Set-NetFirewallProfile -Enabled False", "Set-NetFirewallProfile -All -Enabled False", "New-NetFirewallRule", "Remove-NetFirewallRule", "iptables -F", "iptables -X", "iptables -P INPUT ACCEPT", "iptables -P FORWARD ACCEPT", "ufw disable", "pfctl -d", "esxcli network firewall set"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (FirewallCommands)
| extend FirewallAction = case(
    ProcessCommandLine has "set allprofiles state off" or ProcessCommandLine has "opmode disable" or ProcessCommandLine has "-Enabled False" or ProcessCommandLine has "ufw disable" or ProcessCommandLine has "pfctl -d", "Firewall Disabled",
    ProcessCommandLine has "firewall add" or ProcessCommandLine has "New-NetFirewallRule", "Rule Added",
    ProcessCommandLine has "firewall delete" or ProcessCommandLine has "Remove-NetFirewallRule", "Rule Deleted",
    ProcessCommandLine has "iptables -F" or ProcessCommandLine has "iptables -X", "IPTables Flushed",
    ProcessCommandLine has "iptables -P" and ProcessCommandLine has "ACCEPT", "IPTables Policy Set to ACCEPT",
    "Other Modification")
| extend RuleDetail = extract(@"(?:rule\s+name=|--dport\s+)(\"?[^\"\s]+\"?)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FirewallAction, RuleDetail, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
high severity high confidence

Detects system firewall disablement and rule modification across Windows (netsh, PowerShell NetFirewall cmdlets), Linux (iptables, ufw), macOS (pfctl), and ESXi (esxcli). Classifies the action type (disabled, rule added/deleted, policy flushed) for triage prioritization.

Data Sources

Process: Process CreationCommand: Command ExecutionFirewall: Firewall Rule ModificationFirewall: Firewall Disable

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators legitimately configuring firewall rules for new application deployments
  • Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code
  • Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window
  • Application installers that add firewall exceptions during setup (e.g., SQL Server, IIS)
Download portable Sigma rule (.yml)

Other platforms for T1562.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Windows Firewall All Profiles

    Expected signal: Sysmon Event ID 1: netsh.exe process creation. Windows Firewall Event ID 2003: Firewall profile changed. Each profile state change generates a separate event.

  2. Test 2Add Firewall Rule for RDP on Non-Standard Port

    Expected signal: Sysmon Event ID 1: netsh.exe with 'firewall add rule'. Windows Firewall Event ID 2004: A rule has been added.

  3. Test 3Flush IPTables Rules on Linux

    Expected signal: Auditd execve syscall records for iptables. Syslog entries for iptables commands. MDE DeviceProcessEvents if MDE for Linux is deployed.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1562.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.007Disable or Modify Cloud FirewallT1562.013Disable or Modify Network Device FirewallT1021.001Remote Desktop ProtocolT1571Non-Standard PortT1112Modify Registry

Same Tactic: Defense Evasion

Popular Detections