T1562.013 IBM QRadar · QRadar

Detect Disable or Modify Network Device Firewall in IBM QRadar

Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet. This technique was used by APT38 to create firewall exemptions on specific ports, and by threat actors exploiting Fortinet FortiGate vulnerabilities (CVE-2024-55591) to modify firewall rules before deploying LockBit ransomware.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.013 Disable or Modify Network Device Firewall
Canonical reference
https://attack.mitre.org/techniques/T1562/013/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "CommandLine",
  "ParentCommandLine",
  "Image" AS process_image,
  CASE
    WHEN "CommandLine" ILIKE '%state off%' OR "CommandLine" ILIKE '%allprofiles state off%' OR "CommandLine" ILIKE '%Enabled False%' THEN 'FirewallDisable'
    WHEN "CommandLine" ILIKE '%Remove-NetFirewallRule%' OR "CommandLine" ILIKE '%iptables -D%' OR "CommandLine" ILIKE '%nft delete%' THEN 'RuleDelete'
    WHEN "CommandLine" ILIKE '%New-NetFirewallRule%' OR "CommandLine" ILIKE '%add rule%' OR "CommandLine" ILIKE '%iptables -A%' OR "CommandLine" ILIKE '%--add-port%' THEN 'RuleAdd'
    ELSE 'FirewallModify'
  END AS action_type,
  CASE
    WHEN "CommandLine" ILIKE '%action=allow%' OR "CommandLine" ILIKE '%-j ACCEPT%' OR "CommandLine" ILIKE '%permit any%' OR "CommandLine" ILIKE '%allow%' THEN 1
    ELSE 0
  END AS allows_any
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 352, 433)
  AND starttime > NOW() - 1 DAYS
  AND (
    "CommandLine" ILIKE '%netsh advfirewall%'
    OR "CommandLine" ILIKE '%netsh firewall%'
    OR "CommandLine" ILIKE '%Set-NetFirewallProfile%'
    OR "CommandLine" ILIKE '%New-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Remove-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Disable-NetFirewallRule%'
    OR "CommandLine" ILIKE '%Set-NetFirewallRule%'
    OR "CommandLine" ILIKE '%iptables -F%'
    OR "CommandLine" ILIKE '%iptables -P INPUT ACCEPT%'
    OR "CommandLine" ILIKE '%iptables -P FORWARD ACCEPT%'
    OR "CommandLine" ILIKE '%iptables -D%'
    OR "CommandLine" ILIKE '%ufw disable%'
    OR "CommandLine" ILIKE '%nft flush ruleset%'
    OR "CommandLine" ILIKE '%nft delete%'
    OR "CommandLine" ILIKE '%firewall-cmd%--permanent%--add-port%'
  )
UNION
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Message" AS "CommandLine",
  NULL AS "ParentCommandLine",
  devicevendor AS process_image,
  'NetworkDeviceFirewallChange' AS action_type,
  0 AS allows_any
FROM events
WHERE LOGSOURCETYPEID IN (5, 71, 104, 143, 200, 227)
  AND starttime > NOW() - 1 DAYS
  AND (
    ("Message" ILIKE '%policy%' OR "Message" ILIKE '%rule%' OR "Message" ILIKE '%access-list%' OR "Message" ILIKE '%security-policy%')
    AND ("Message" ILIKE '%delete%' OR "Message" ILIKE '%disable%' OR "Message" ILIKE '%permit any%' OR "Message" ILIKE '%modify%' OR "Message" ILIKE '%create%')
  )
ORDER BY event_time DESC
high severity medium confidence

Detects firewall disable/modify commands on Windows and Linux endpoints via Sysmon/WinEvent process logs, and network device firewall policy changes from Fortinet, Palo Alto, Cisco, and Check Point log sources. Covers T1562.013 including APT38 port exemptions and FortiGate exploitation patterns.

Data Sources

QRadar Sysmon DSM (LOGSOURCETYPEID 352)Windows Security Event Log DSM (LOGSOURCETYPEID 12/13)Fortinet FortiGate DSM (LOGSOURCETYPEID 104)Palo Alto Networks Firewall DSM (LOGSOURCETYPEID 227)Cisco ASA DSM (LOGSOURCETYPEID 71)

Required Tables

events

False Positives & Tuning

  • Authorized network engineers modifying firewall ACLs during change windows — correlate with change management ticket system
  • Windows Defender Firewall rules added by software installers such as VPN clients, antivirus agents, or enterprise applications
  • Linux firewall rule management by configuration management agents like Ansible, Chef, or SaltStack running from service accounts
Download portable Sigma rule (.yml)

Other platforms for T1562.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Windows Firewall via netsh

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine='advfirewall set allprofiles state off'. Windows Firewall Event ID 2003: Profile changed (all profiles disabled). Security Event ID 4688 with command line auditing. DeviceProcessEvents in MDE.

  2. Test 2Add Allow-Any Inbound Firewall Rule via netsh

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'add rule' and 'action=allow'. Windows Firewall Event ID 2004: New rule added. DeviceProcessEvents in MDE with full command line details.

  3. Test 3Flush Linux iptables Rules

    Expected signal: Syslog and/or Sysmon for Linux process creation events for iptables with -F, -P INPUT ACCEPT, and -P FORWARD ACCEPT arguments. Linux audit events (SYSCALL) for the iptables binary execution. The network exposure is immediate.

  4. Test 4Disable UFW Firewall on Linux

    Expected signal: Syslog entry for 'ufw disable' command. Process creation event for the ufw binary. Systemd journal entry for the ufw service state change. Sysmon for Linux (if installed) Event ID 1 for process creation.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit System

Related Techniques

T1562Impair DefensesT1562.004Disable or Modify System FirewallT1078Valid AccountsT1190Exploit Public-Facing ApplicationT1071Application Layer ProtocolT1021Remote ServicesT1048Exfiltration Over Alternative ProtocolT1133External Remote Services

Same Tactic: Defense Evasion

Popular Detections