T1562.013

Disable or Modify Network Device Firewall

Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet. This technique was used by APT38 to create firewall exemptions on specific ports, and by threat actors exploiting Fortinet FortiGate vulnerabilities (CVE-2024-55591) to modify firewall rules before deploying LockBit ransomware.

Microsoft Sentinel / Defender

kusto

let FirewallCommands = dynamic([
  "netsh advfirewall", "netsh firewall",
  "Set-NetFirewallProfile", "New-NetFirewallRule",
  "Remove-NetFirewallRule", "Set-NetFirewallRule",
  "Disable-NetFirewallRule", "netsh advfirewall set allprofiles state off",
  "netsh advfirewall firewall add rule",
  "iptables -F", "iptables -P INPUT ACCEPT",
  "iptables -P FORWARD ACCEPT", "iptables -D",
  "ufw disable", "firewall-cmd --permanent --add-port",
  "nft flush ruleset", "nft delete"
]);
let NetworkDeviceSyslog = dynamic([
  "firewall rule", "access-list", "security-policy",
  "policy delete", "rule delete", "permit any any",
  "action accept", "config firewall policy"
]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any (FirewallCommands)
  | extend IsFirewallDisable = ProcessCommandLine has_any ("state off", "set allprofiles state off", "Enabled False", "-F", "flush", "disable")
  | extend IsRuleAdd = ProcessCommandLine has_any ("add rule", "New-NetFirewallRule", "-A INPUT", "-I INPUT", "--add-port", "nft add")
  | extend IsRuleDelete = ProcessCommandLine has_any ("delete rule", "Remove-NetFirewallRule", "-D INPUT", "nft delete")
  | extend AllowsAny = ProcessCommandLine has_any ("action=allow", "-j ACCEPT", "ACCEPT", "permit", "allow")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           IsFirewallDisable, IsRuleAdd, IsRuleDelete, AllowsAny,
           DetectionType="HostFirewallManipulation"
),
(
  Syslog
  | where TimeGenerated > ago(24h)
  | where SyslogMessage has_any (NetworkDeviceSyslog)
  | where SyslogMessage has_any ("delete", "disable", "permit any", "accept", "removed", "modified")
  | project TimeGenerated, Computer, HostName, Facility,
           SeverityLevel, SyslogMessage,
           DetectionType="NetworkDeviceFirewallChange"
),
(
  CommonSecurityLog
  | where TimeGenerated > ago(24h)
  | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Cisco", "Check Point")
  | where Activity has_any ("policy", "rule", "firewall", "security")
  | where Activity has_any ("delete", "modify", "disable", "create", "add")
  | project TimeGenerated, DeviceVendor, DeviceProduct,
           SourceUserName, SourceIP, Activity, Message,
           DetectionType="NetworkFirewallPolicyChange"
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Firewall: Firewall Rule Modification Firewall: Firewall Disable Network Traffic: Network Traffic Flow

Required Tables

DeviceProcessEvents Syslog CommonSecurityLog

False Positives

Network administrators making planned firewall changes during a documented maintenance window — correlate with change management tickets
Infrastructure-as-code deployments (Terraform, Ansible, CloudFormation) that modify firewall rules as part of automated provisioning
Software installation scripts that add Windows Firewall exceptions for newly installed applications (e.g., SQL Server, IIS, Docker)
VPN or remote access solutions that dynamically add firewall rules when users connect (Cisco AnyConnect, GlobalProtect, Tailscale)

Elastic Security (EQL)

eql

any where (
  (event.category == "process" and event.type == "start" and (
    process.command_line like~ "*netsh advfirewall*" or
    process.command_line like~ "*netsh firewall*" or
    process.command_line like~ "*Set-NetFirewallProfile*" or
    process.command_line like~ "*New-NetFirewallRule*" or
    process.command_line like~ "*Remove-NetFirewallRule*" or
    process.command_line like~ "*Disable-NetFirewallRule*" or
    process.command_line like~ "*Set-NetFirewallRule*" or
    process.command_line like~ "*iptables -F*" or
    process.command_line like~ "*iptables -P INPUT ACCEPT*" or
    process.command_line like~ "*iptables -P FORWARD ACCEPT*" or
    process.command_line like~ "*iptables -D*" or
    process.command_line like~ "*ufw disable*" or
    process.command_line like~ "*firewall-cmd*--add-port*" or
    process.command_line like~ "*nft flush ruleset*" or
    process.command_line like~ "*nft delete*"
  ))
  or
  (event.category == "process" and event.type == "start" and
    process.name in ("netsh.exe", "powershell.exe", "pwsh.exe", "iptables", "ip6tables", "ufw", "nft", "firewall-cmd") and (
      process.command_line like~ "*state off*" or
      process.command_line like~ "*allprofiles state off*" or
      process.command_line like~ "*Enabled False*" or
      process.command_line like~ "*action=allow*" or
      process.command_line like~ "*permit any*" or
      process.command_line like~ "*-j ACCEPT*"
    )
  )
)

high severity high confidence

Data Sources

Endpoint process telemetry (EDR/Elastic Agent) Windows Security logs Linux auditd / syslog

Required Tables

logs-endpoint.events.process-* logs-system.security-* logs-auditd_manager.auditd-*

False Positives

IT administrators running authorized firewall configuration scripts via GPO or Ansible/Chef/Puppet automation
Software installations (e.g., AV/EDR, VPN clients) that add inbound/outbound rules as part of setup
DevOps pipelines running firewall-cmd or iptables to open application ports during container or VM provisioning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "CommandLine",
  "ParentCommandLine",
  "Image" AS process_image,
  CASE
    WHEN "CommandLine" ILIKE '%state off%' OR "CommandLine" ILIKE '%allprofiles state off%' OR "CommandLine" ILIKE '%Enabled False%' THEN 'FirewallDisable'
    WHEN "CommandLine" ILIKE '%Remove-NetFirewallRule%' OR "CommandLine" ILIKE '%iptables -D%' OR "CommandLine" ILIKE '%nft delete%' THEN 'RuleDelete'
    WHEN "CommandLine" ILIKE '%New-NetFirewallRule%' OR "CommandLine" ILIKE '%add rule%' OR "CommandLine" ILIKE '%iptables -A%' OR "CommandLine" ILIKE '%--add-port%' THEN 'RuleAdd'
    ELSE 'FirewallModify'
  END AS action_type,
  CASE
    WHEN "CommandLine" ILIKE '%action=allow%' OR "CommandLine" ILIKE '%-j ACCEPT%' OR "CommandLine" ILIKE '%permit any%' OR "CommandLine" ILIKE '%allow%' THEN 1
    ELSE 0
  END AS allows_any
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 352, 433)
  AND starttime > NOW() - 1 DAYS
  AND (
    "CommandLine" ILIKE '%netsh advfirewall%'
    OR "CommandLine" ILIKE '%netsh firewall%'
    OR "CommandLine" ILIKE '%Set-NetFirewallProfile%'
    OR "CommandLine" ILIKE '%New-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Remove-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Disable-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Set-NetFirewallRule%'
    OR "CommandLine" ILIKE '%iptables -F%'
    OR "CommandLine" ILIKE '%iptables -P INPUT ACCEPT%'
    OR "CommandLine" ILIKE '%iptables -P FORWARD ACCEPT%'
    OR "CommandLine" ILIKE '%iptables -D%'
    OR "CommandLine" ILIKE '%ufw disable%'
    OR "CommandLine" ILIKE '%nft flush ruleset%'
    OR "CommandLine" ILIKE '%nft delete%'
    OR "CommandLine" ILIKE '%firewall-cmd%--permanent%--add-port%'
  )
UNION
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Message" AS "CommandLine",
  NULL AS "ParentCommandLine",
  devicevendor AS process_image,
  'NetworkDeviceFirewallChange' AS action_type,
  0 AS allows_any
FROM events
WHERE LOGSOURCETYPEID IN (5, 71, 104, 143, 200, 227)
  AND starttime > NOW() - 1 DAYS
  AND (
    ("Message" ILIKE '%policy%' OR "Message" ILIKE '%rule%' OR "Message" ILIKE '%access-list%' OR "Message" ILIKE '%security-policy%')
    AND ("Message" ILIKE '%delete%' OR "Message" ILIKE '%disable%' OR "Message" ILIKE '%permit any%' OR "Message" ILIKE '%modify%' OR "Message" ILIKE '%create%')
  )
ORDER BY event_time DESC

high severity medium confidence

Data Sources

QRadar Sysmon DSM (LOGSOURCETYPEID 352) Windows Security Event Log DSM (LOGSOURCETYPEID 12/13) Fortinet FortiGate DSM (LOGSOURCETYPEID 104) Palo Alto Networks Firewall DSM (LOGSOURCETYPEID 227) Cisco ASA DSM (LOGSOURCETYPEID 71)

Required Tables

events

False Positives

Authorized network engineers modifying firewall ACLs during change windows — correlate with change management ticket system
Windows Defender Firewall rules added by software installers such as VPN clients, antivirus agents, or enterprise applications
Linux firewall rule management by configuration management agents like Ansible, Chef, or SaltStack running from service accounts

Sumo Logic CSE

sql

// Host-based firewall manipulation — Windows
(_sourceCategory=*endpoint* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode = 1 OR EventCode = 4688
| where CommandLine matches /(?i)(netsh\s+advfirewall|netsh\s+firewall|Set-NetFirewallProfile|New-NetFirewallRule|Remove-NetFirewallRule|Disable-NetFirewallRule|Set-NetFirewallRule)/
| eval IsFirewallDisable = if(CommandLine matches /(?i)(state\s+off|allprofiles\s+state\s+off|Enabled\s+False)/, 1, 0)
| eval IsRuleAdd = if(CommandLine matches /(?i)(add\s+rule|new-netfirewallrule)/, 1, 0)
| eval IsRuleDelete = if(CommandLine matches /(?i)(delete\s+rule|remove-netfirewallrule)/, 1, 0)
| eval AllowsAny = if(CommandLine matches /(?i)(action=allow|allow|permit)/, 1, 0)
| eval SeverityScore = (IsFirewallDisable * 3) + (IsRuleDelete * 2) + (IsRuleAdd * AllowsAny * 2) + IsRuleAdd
| eval DetectionType = "HostFirewallManipulation"
| fields _messageTime, _sourceHost, User, CommandLine, ParentCommandLine, ProcessName, IsFirewallDisable, IsRuleAdd, IsRuleDelete, AllowsAny, SeverityScore, DetectionType

// Linux firewall manipulation — run separately or union
// (_sourceCategory=*linux* OR _sourceCategory=*auditd*)
// | where _raw matches /(?i)(iptables\s+-[FPD]|ufw\s+disable|nft\s+flush|nft\s+delete|firewall-cmd.*--add-port)/
// | eval DetectionType = "LinuxFirewallManipulation"

// Network device policy changes — run separately or union
// (_sourceCategory=*fortigate* OR _sourceCategory=*cisco:asa* OR _sourceCategory=*paloalto*)
// | where _raw matches /(?i)(policy|rule|access-list|security-policy)/
// | where _raw matches /(?i)(delete|disable|modify|create|permit\s+any)/
// | eval DetectionType = "NetworkDeviceFirewallChange"

| sort by SeverityScore desc, _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon Event ID 1 (Process Create) Windows Security Event ID 4688 (Process Create with command line) Linux auditd execve syscall logs Fortinet FortiGate UTM logs Cisco ASA syslogs Palo Alto Networks firewall config logs

Required Tables

_sourceCategory=*endpoint* _sourceCategory=*sysmon* _sourceCategory=*linux* _sourceCategory=*fortigate* _sourceCategory=*cisco*

False Positives

IT automation tools (Ansible, Puppet, Terraform) modifying firewall rules as part of infrastructure-as-code deployments
Security software installations opening ports for agent communication (CrowdStrike, Carbon Black, Qualys, Nessus)
Network engineers running authorized ACL changes from jump hosts — these will appear in syslog as policy modifications with legitimate source IPs

Google Chronicle / SecOps

yaral

rule t1562_013_disable_modify_network_device_firewall {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects disabling or modification of host-based and network device firewalls via command-line utilities and network device policy changes. Covers T1562.013 including APT38 and FortiGate exploitation patterns."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.013"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)netsh\s+(advfirewall|firewall)`) or
        re.regex($e.target.process.command_line, `(?i)(Set-NetFirewallProfile|New-NetFirewallRule|Remove-NetFirewallRule|Disable-NetFirewallRule|Set-NetFirewallRule)`) or
        re.regex($e.target.process.command_line, `(?i)iptables\s+(-F|-P\s+INPUT\s+ACCEPT|-P\s+FORWARD\s+ACCEPT|-D)`) or
        re.regex($e.target.process.command_line, `(?i)ufw\s+disable`) or
        re.regex($e.target.process.command_line, `(?i)nft\s+(flush\s+ruleset|delete)`) or
        re.regex($e.target.process.command_line, `(?i)firewall-cmd.*--permanent.*--add-port`)
      )
    )
    or
    (
      $e.metadata.event_type = "NETWORK_UNCATEGORIZED"
      and $e.metadata.vendor_name in nocase ("Fortinet", "Palo Alto Networks", "Cisco", "Check Point")
      and re.regex($e.metadata.description, `(?i)(policy|rule|access-list|security-policy|firewall)`)
      and re.regex($e.metadata.description, `(?i)(delete|disable|modify|create|permit\s+any|action\s+accept)`)
    )
    or
    (
      $e.metadata.event_type = "STATUS_UPDATE"
      and re.regex($e.metadata.description, `(?i)(firewall rule|config firewall policy|policy delete|rule delete|permit any any)`)
      and re.regex($e.metadata.description, `(?i)(delete|disable|modify|removed|modified)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM process events from endpoint sensors Chronicle ingested network device syslogs (Fortinet, Palo Alto, Cisco, Check Point) Google Chronicle SecOps normalized log pipeline

Required Tables

UDM events with event_type = PROCESS_LAUNCH UDM events with event_type = NETWORK_UNCATEGORIZED UDM events with event_type = STATUS_UPDATE

False Positives

Authorized firewall rule deployments via GPO or endpoint management platforms — cross-reference with expected change management windows in Chronicle context
VPN or endpoint agent installations adding firewall rules via PowerShell as part of legitimate software deployment
Network operations team modifying ACLs on perimeter firewalls — expected to appear in Fortinet/Cisco/PAN logs with known source management IPs

CrowdStrike LogScale (CQL)

cql

// Host-based firewall manipulation via CrowdStrike Falcon process telemetry
#repo=base_sensor
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(netsh\s+(advfirewall|firewall)|Set-NetFirewallProfile|New-NetFirewallRule|Remove-NetFirewallRule|Disable-NetFirewallRule|Set-NetFirewallRule|iptables\s+(-F|-P\s+INPUT\s+ACCEPT|-P\s+FORWARD\s+ACCEPT|-D\s+INPUT)|ufw\s+disable|nft\s+(flush\s+ruleset|delete)|firewall-cmd.*--permanent.*--add-port)/
| eval IsFirewallDisable := if(CommandLine =~ /(?i)(state\s+off|allprofiles\s+state\s+off|Enabled\s+False|iptables\s+-F|ufw\s+disable|nft\s+flush)/, "true", "false")
| eval IsRuleAdd := if(CommandLine =~ /(?i)(add\s+rule|new-netfirewallrule|iptables\s+-A|iptables\s+-I|--add-port|nft\s+add)/, "true", "false")
| eval IsRuleDelete := if(CommandLine =~ /(?i)(delete\s+rule|remove-netfirewallrule|iptables\s+-D|nft\s+delete)/, "true", "false")
| eval AllowsAny := if(CommandLine =~ /(?i)(action=allow|allow|permit|-j\s+ACCEPT)/, "true", "false")
| eval SeverityScore := case(
    IsFirewallDisable = "true", 3,
    IsRuleDelete = "true" and AllowsAny = "true", 3,
    IsRuleDelete = "true", 2,
    IsRuleAdd = "true" and AllowsAny = "true", 2,
    IsRuleAdd = "true", 1,
    true, 1
  )
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsFirewallDisable, IsRuleAdd, IsRuleDelete, AllowsAny, SeverityScore
| sort(SeverityScore, order=desc)
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon host telemetry from Windows and Linux endpoints

Required Tables

#repo=base_sensor #event_simpleName=ProcessRollup2

False Positives

CrowdStrike sensor deployment itself may add Windows Firewall rules via PowerShell during installation or policy updates
Systems management tooling (SCCM, Ansible, Jamf) running netsh or PowerShell firewall cmdlets from SYSTEM context during software deployments
Developer workstations running Docker Desktop or WSL2 which routinely add/remove iptables and nft rules during container lifecycle management

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Disable or Modify Network Device Firewall

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections