attack.t1562.004

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

RDP Connection Allowed Via Netsh.EXE

Feb 16, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Feb 16, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

Netsh Allow Group Policy on Microsoft Defender Firewall

Feb 14, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Adversaries may modify system firewalls in order to bypass controls limiting network usage

Firewall Disabled via Netsh.EXE

Feb 13, 2023 · attack.defense_evasion attack.t1562.004 attack.s0108 ·

Share on:

Detects netsh commands that turns off the Windows firewall

Firewall Rule Deleted Via Netsh.EXE

Feb 13, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Flush Iptables Ufw Chain

Jan 30, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Ufw Force Stop Using Ufw-Init

Jan 30, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects attempts to force stop the ufw using ufw-init

Disable System Firewall

Jan 27, 2023 · attack.t1562.004 attack.defense_evasion ·

Share on:

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Azure Firewall Rule Collection Modified or Deleted

Jan 11, 2023 · attack.impact attack.defense_evasion attack.t1562.004 ·

Share on:

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Azure Firewall Modified or Deleted

Jan 9, 2023 · attack.impact attack.defense_evasion attack.t1562.004 ·

Share on:

Identifies when a firewall is created, modified, or deleted.

Disabling Security Tools - Builtin

Jan 7, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects disabling security tools

Windows Firewall Profile Disabled

Jan 4, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

Abusing PowerShell to Disable Defender Components

Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004 ·

Share on:

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Abusing PowerShell to Modify Defender Components

Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004 ·

Share on:

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Bpfdoor TCP Ports Redirect

Oct 25, 2022 · attack.defense_evasion attack.t1562.004 ·

Share on:

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.