Detect Disable or Modify Network Device Firewall in CrowdStrike LogScale
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet. This technique was used by APT38 to create firewall exemptions on specific ports, and by threat actors exploiting Fortinet FortiGate vulnerabilities (CVE-2024-55591) to modify firewall rules before deploying LockBit ransomware.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.013 Disable or Modify Network Device Firewall
- Canonical reference
- https://attack.mitre.org/techniques/T1562/013/
LogScale Detection Query
// Host-based firewall manipulation via CrowdStrike Falcon process telemetry
#repo=base_sensor
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(netsh\s+(advfirewall|firewall)|Set-NetFirewallProfile|New-NetFirewallRule|Remove-NetFirewallRule|Disable-NetFirewallRule|Set-NetFirewallRule|iptables\s+(-F|-P\s+INPUT\s+ACCEPT|-P\s+FORWARD\s+ACCEPT|-D\s+INPUT)|ufw\s+disable|nft\s+(flush\s+ruleset|delete)|firewall-cmd.*--permanent.*--add-port)/
| eval IsFirewallDisable := if(CommandLine =~ /(?i)(state\s+off|allprofiles\s+state\s+off|Enabled\s+False|iptables\s+-F|ufw\s+disable|nft\s+flush)/, "true", "false")
| eval IsRuleAdd := if(CommandLine =~ /(?i)(add\s+rule|new-netfirewallrule|iptables\s+-A|iptables\s+-I|--add-port|nft\s+add)/, "true", "false")
| eval IsRuleDelete := if(CommandLine =~ /(?i)(delete\s+rule|remove-netfirewallrule|iptables\s+-D|nft\s+delete)/, "true", "false")
| eval AllowsAny := if(CommandLine =~ /(?i)(action=allow|allow|permit|-j\s+ACCEPT)/, "true", "false")
| eval SeverityScore := case(
IsFirewallDisable = "true", 3,
IsRuleDelete = "true" and AllowsAny = "true", 3,
IsRuleDelete = "true", 2,
IsRuleAdd = "true" and AllowsAny = "true", 2,
IsRuleAdd = "true", 1,
true, 1
)
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsFirewallDisable, IsRuleAdd, IsRuleDelete, AllowsAny, SeverityScore
| sort(SeverityScore, order=desc)
| sort(timestamp, order=desc)Detects T1562.013 firewall disable or modification activity via CrowdStrike Falcon process telemetry (ProcessRollup2 events). Matches Windows netsh advfirewall, PowerShell firewall cmdlets (New/Remove/Disable/Set-NetFirewallRule, Set-NetFirewallProfile) and Linux iptables/ufw/nft commands. Includes severity scoring based on action type and permissiveness, prioritizing full disable and broad allow-any rule additions consistent with APT38 and LockBit pre-deployment behavior.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike sensor deployment itself may add Windows Firewall rules via PowerShell during installation or policy updates
- Systems management tooling (SCCM, Ansible, Jamf) running netsh or PowerShell firewall cmdlets from SYSTEM context during software deployments
- Developer workstations running Docker Desktop or WSL2 which routinely add/remove iptables and nft rules during container lifecycle management
Other platforms for T1562.013
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Windows Firewall via netsh
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine='advfirewall set allprofiles state off'. Windows Firewall Event ID 2003: Profile changed (all profiles disabled). Security Event ID 4688 with command line auditing. DeviceProcessEvents in MDE.
- Test 2Add Allow-Any Inbound Firewall Rule via netsh
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'add rule' and 'action=allow'. Windows Firewall Event ID 2004: New rule added. DeviceProcessEvents in MDE with full command line details.
- Test 3Flush Linux iptables Rules
Expected signal: Syslog and/or Sysmon for Linux process creation events for iptables with -F, -P INPUT ACCEPT, and -P FORWARD ACCEPT arguments. Linux audit events (SYSCALL) for the iptables binary execution. The network exposure is immediate.
- Test 4Disable UFW Firewall on Linux
Expected signal: Syslog entry for 'ufw disable' command. Process creation event for the ufw binary. Systemd journal entry for the ufw service state change. Sysmon for Linux (if installed) Event ID 1 for process creation.
References (7)
- https://attack.mitre.org/techniques/T1562/013/
- https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-de8fcfb6c45c
- https://nvd.nist.gov/vuln/detail/CVE-2024-55591
- https://us-cert.cisa.gov/ncas/alerts/aa20-239a
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
- https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring
Unlock Pro Content
Get the full detection package for T1562.013 including response playbook, investigation guide, and atomic red team tests.