Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
-
Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
-
Atomic Test #5 - Open a local port through Windows Firewall to any profile
-
Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
Disables the firewall
Supported Platforms: Linux
Name | Description | Type | Default Value |
---|---|---|---|
flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld |
cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld |
#{flavor_command}
#{cleanup_command}
Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
Supported Platforms: Windows
netsh advfirewall set currentprofile state off
netsh advfirewall set currentprofile state on >nul 2>&1
Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
Supported Platforms: Windows
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
netsh advfirewall reset >nul 2>&1
This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
Supported Platforms: Windows
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
This test will attempt to open a local port defined by input arguments to any profile
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
local_port | This is the local port you wish to test opening | integer | 3389 |
netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
This test will attempt to allow an executable through the system firewall located in the Users directory
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
exe_file_path | path to exe file | path | PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe |
Copy-Item #{exe_file_path} -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes
netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore