.svg)
.svg)
Disable or Modify System Firewall is a defense evasion technique that adversaries use to manipulate firewall settings to bypass security controls and facilitate malicious activities. Firewalls are critical security components designed to monitor and control network traffic, blocking unauthorized access and preventing malicious communication. By disabling or modifying firewall configurations, attackers can move laterally within a network, exfiltrate data, or establish persistent command-and-control (C2) channels without being detected.
In this blog post, we explain the T1562.004 Disable or Modify System Firewall technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable or Modify System Firewall with real-world attack examples in detail.
|
|
|
What is a System Firewall?
System firewalls act as a barrier between a computer or network of computers and external threats. It functions as a protective barrier, monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. The primary purpose of a system firewall is to prevent unauthorized access to or from a private network, ensuring that only legitimate and authorized communication is allowed. The firewall inspects data packets traveling across the network and determines whether they meet the specified criteria outlined in the security rules.
Adversary Use of Disable or Modify System Firewall
Firewalls are designed to monitor and control incoming and outgoing network traffic based on predetermined security rules, and by disabling or modifying its settings, adversaries can facilitate the movement of malicious traffic and data exfiltration, maintain control of a compromised system, and enable the lateral spread of malware or an attack within a network [1].
Adversaries often use native operating system commands or configuration interfaces to alter rules in the firewall, directly turn the firewall off, or change its settings in a way that weakens the protective measures. On Linux systems, adversaries could use 'iptables' or other command-line utilities to modify the firewall rule set or stop the firewall service entirely. In an XMRig cryptominer campaign targeting Docker and Kubernetes systems, adversaries used the commands below to disable compromised firewalls [2].
|
iptables -F systemctl stop firewalld systemctl disable firewalld service iptables stop |
On a Windows system, an attacker could use the 'netsh' command-line utility to modify the firewall configuration or directly interact with the Windows Firewall through the Control Panel. For example, Phobos ransomware uses the command below to bypass organizational network defense protocols [3].
|
netsh firewall set opmode mode=disable |
In some cases, adversaries insert specific rules that allow traffic to and from attacker-controlled domains or IP addresses, while in other situations, they may attempt to disable logging or alert generation, which would normally be used to detect and investigate malicious activity. One of the subtle ways that adversaries modify a firewall is by adding seemingly benign exceptions that can be exploited. These could be rules that allow traffic over certain ports that the attacker knows they can use to communicate with malware or command-and-control servers. From a defender's perspective, these changes might not immediately signal a red flag because the ports could be used for legitimate services as well. In the example below, BPFDoor malware adds rules [4]:
- to allow traffic from the attacker's IP
- to redirect malicious traffic to a different port to intercept the data before it reaches to its intended destination
- to remove previous rules added by the attacker.
|
iptables -I INPUT -p tcp -s [threat actor IP] -j ACCEPT iptables -t nat -A PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] iptables -t nat -D PREROUTING -p tcp -s [threat actor IP] –dport [destination port] -j REDIRECT –to-ports [random port] iptables -D INPUT -p tcp -s [threat actor IP] -j ACCEPT |
Ready to Simulate Real-World Threats from Red Report 2025?
References
[1] "Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale." https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/
[2] "Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale." https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/
[3] "Website." Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
[4] ATCP, "BPFDoor Linux Malware Detected by AhnLab EDR," ASEC, Oct. 09, 2024. Available: https://asec.ahnlab.com/en/83925/
Share this:
