title: Disable or Modify Network Device Firewall (T1562.013) id: df00tech-t1562-013 status: experimental description: "Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet. This technique was used by APT38 to create firewall exemptions on specific ports, and by threat actors exploiting Fortinet FortiGate vulnerabilities (CVE-2024-55591) to modify firewall rules before deploying LockBit ransomware." references: - https://attack.mitre.org/techniques/T1562/013/ - https://df00tech.com/detections/T1562.013 author: df00tech date: 2026/04/21 tags: - attack.t1562.013 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - Network administrators making planned firewall changes during a documented maintenance window — correlate with change management tickets - "Infrastructure-as-code deployments (Terraform, Ansible, CloudFormation) that modify firewall rules as part of automated provisioning" - "Software installation scripts that add Windows Firewall exceptions for newly installed applications (e.g., SQL Server, IIS, Docker)" - "VPN or remote access solutions that dynamically add firewall rules when users connect (Cisco AnyConnect, GlobalProtect, Tailscale)" level: high