Skip to content

Latest commit

 

History

History
212 lines (108 loc) · 5.6 KB

T1562.004.md

File metadata and controls

212 lines (108 loc) · 5.6 KB

T1562.004 - Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

Atomic Tests


Atomic Test #1 - Disable firewall

Disables the firewall

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
flavor_command Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable String systemctl stop firewalld ; systemctl disable firewalld
cleanup_command Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable String systemctl enable firewalld ; systemctl start firewalld

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

#{flavor_command}

Cleanup Commands:

#{cleanup_command}


Atomic Test #2 - Disable Microsoft Defender Firewall

Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

netsh advfirewall set currentprofile state off

Cleanup Commands:

netsh advfirewall set currentprofile state on >nul 2>&1


Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall

Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes

Cleanup Commands:

netsh advfirewall reset >nul 2>&1


Atomic Test #4 - Opening ports for proxy - HARDRAIN

This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.

reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450

Cleanup Commands:

netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1


Atomic Test #5 - Open a local port through Windows Firewall to any profile

This test will attempt to open a local port defined by input arguments to any profile

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
local_port This is the local port you wish to test opening integer 3389

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any

Cleanup Commands:

netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null


Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location

This test will attempt to allow an executable through the system firewall located in the Users directory

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
exe_file_path path to exe file path PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Copy-Item #{exe_file_path} -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes

Cleanup Commands:

netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore