Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.
|M1022||Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|M1024||Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|M1018||User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
|ID||Data Source||Data Component|
|Firewall Rule Modification|
|DS0024||Windows Registry||Windows Registry Key Modification|
Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.