Detect Disable or Modify System Firewall in Splunk
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done via command-line tools (netsh, iptables, ufw, pfctl), editing Windows Registry keys, or through the Windows Control Panel. On ESXi, firewall rules may be modified via esxcli. Adversaries may add new firewall rules for RDP on non-standard ports or open all traffic to enable C2, lateral movement, and data exfiltration.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.004 Disable or Modify System Firewall
- Canonical reference
- https://attack.mitre.org/techniques/T1562/004/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*netsh advfirewall set*state off*" OR CommandLine="*netsh advfirewall firewall add*" OR CommandLine="*netsh advfirewall firewall delete*" OR CommandLine="*netsh firewall set opmode disable*" OR CommandLine="*Set-NetFirewallProfile*Enabled*False*" OR CommandLine="*New-NetFirewallRule*" OR CommandLine="*Remove-NetFirewallRule*"))
OR
(index=wineventlog sourcetype="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventCode IN (2003, 2004, 2005, 2006, 2033))
OR
(index=linux sourcetype=syslog ("iptables -F" OR "iptables -X" OR "iptables -P INPUT ACCEPT" OR "ufw disable" OR "pfctl -d"))
| eval FirewallAction=case(
EventCode==2003, "Firewall Profile Changed",
EventCode==2004, "Firewall Rule Added",
EventCode==2005, "Firewall Rule Modified",
EventCode==2006, "Firewall Rule Deleted",
EventCode==2033, "Firewall Rule Modified (2033)",
match(_raw, "(?i)(state off|opmode disable|Enabled.*False|ufw disable|pfctl -d)"), "Firewall Disabled",
match(_raw, "(?i)(iptables -F|iptables -X)"), "IPTables Flushed",
match(_raw, "(?i)iptables -P.*ACCEPT"), "IPTables Accept All",
match(_raw, "(?i)(firewall add|New-NetFirewallRule)"), "Rule Added",
true(), "Other")
| table _time, host, User, EventCode, FirewallAction, CommandLine, Message
| sort - _timeCross-platform firewall tampering detection using Sysmon process creation, Windows Firewall event logs (2003-2006, 2033), and Linux syslog. Windows Firewall event IDs provide native detection even without command-line monitoring.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators legitimately configuring firewall rules for new application deployments
- Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code
- Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window
- Application installers that add firewall exceptions during setup
Other platforms for T1562.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Windows Firewall All Profiles
Expected signal: Sysmon Event ID 1: netsh.exe process creation. Windows Firewall Event ID 2003: Firewall profile changed. Each profile state change generates a separate event.
- Test 2Add Firewall Rule for RDP on Non-Standard Port
Expected signal: Sysmon Event ID 1: netsh.exe with 'firewall add rule'. Windows Firewall Event ID 2004: A rule has been added.
- Test 3Flush IPTables Rules on Linux
Expected signal: Auditd execve syscall records for iptables. Syslog entries for iptables commands. MDE DeviceProcessEvents if MDE for Linux is deployed.
References (4)
Unlock Pro Content
Get the full detection package for T1562.004 including response playbook, investigation guide, and atomic red team tests.