Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
Atomic Test #2 - Disable Microsoft Defender Firewall via Registry
Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
Atomic Test #5 - Open a local port through Windows Firewall to any profile
Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
Atomic Test #20 - LockBit Black - Unusual Windows firewall registry modification -cmd
Atomic Test #21 - LockBit Black - Unusual Windows firewall registry modification -Powershell
Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall
Atomic Test #24 - Set a firewall rule using New-NetFirewallRule
Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile…
Supported Platforms: Windows
auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
1
command_prompt
netsh advfirewall set currentprofile state off
netsh advfirewall set currentprofile state on >nul 2>&1
Disables the Microsoft Defender Firewall for the public profile via registry Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile…
Supported Platforms: Windows
auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
1
command_prompt
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services…
Supported Platforms: Windows
auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
1
command_prompt
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
netsh advfirewall reset >nul 2>&1
This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
Supported Platforms: Windows
auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
1
command_prompt
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
This test will attempt to open a local port defined by input arguments to any profile
Supported Platforms: Windows
auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
| Name | Description | Type | Default Value | |——|————-|——|—————| | local_port | This is the local port you wish to test opening | integer | 3389|
1
powershell
1
netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
1
netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
This test will attempt to allow an executable through the system firewall located in the Users directory
Supported Platforms: Windows
auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
| Name | Description | Type | Default Value | |——|————-|——|—————| | exe_file_path | path to exe file | path | PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe|
1
powershell
1
2
Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yes
1
2
netsh advfirewall firewall delete rule name="Atomic Test" | Out-Null
Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore
Stop the Uncomplicated Firewall (UFW) if installed.
Supported Platforms: Linux
auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
1
sh
1
ufw disable
1
2
ufw enable
ufw status verbose
1
sh
1
2
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
1
echo ""
Stop the Packet Filter if installed.
Supported Platforms: Linux
auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7
1
sh
1
2
service pf stop
service pf disable
1
2
3
service pf enable
service pf start
service pf status
1
sh
1
2
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
1
echo ""
Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
Supported Platforms: Linux
auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
1
sh
1
systemctl stop ufw
1
2
systemctl start ufw
systemctl status ufw
1
sh
1
2
3
if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
1
echo ""
Turn off the Uncomplicated Firewall (UFW) logging.
Supported Platforms: Linux
auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
1
sh
1
ufw logging off
1
2
ufw logging low
ufw status verbose
1
sh
1
2
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
1
echo ""
Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
Supported Platforms: Linux
auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
1
sh
1
2
ufw prepend deny from 1.2.3.4
ufw status numbered
1
2
{ echo y; echo response; } | ufw delete 1
ufw status numbered
1
sh
1
2
if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi
1
echo ""
Add and delete a rule on the Packet Filter (PF) if installed and enabled.
Supported Platforms: Linux
auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b
1
sh
1
2
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules
1
2
3
pfctl -a pf-rules -F rules
sed -i "" '/anchor pf-rules/d'
pfctl -f /etc/pf.conf
1
sh
1
2
if [ ! -x "$(command -v pfctl)" ]; then echo -e "\n***** PF NOT installed *****\n"; exit 1; fi
if [ "$(kldstat -n pf)" = "" ]; then echo -e "\n***** PF inactive *****\n"; exit 1; fi
1
2
echo "anchor pf-rules >> /etc/pf.conf"
pfctl -f /etc/pf.conf
Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
Supported Platforms: Linux
auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
1
sh
1
2
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
1
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules
1
sh
1
if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
1
echo ""
Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf which controls if the firewall starts on boot and its logging level.
Supported Platforms: Linux
auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
1
sh
1
2
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
1
2
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf
cat /etc/ufw/ufw.conf
1
sh
1
if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
1
echo ""
Edit the Uncomplicated Firewall (UFW) configuration file for setting network variables /etc/ufw/sysctl.conf.
Supported Platforms: Linux
auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
1
sh
1
2
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
1
2
sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf
cat /etc/ufw/sysctl.conf
1
sh
1
if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
1
echo ""
Edit the Uncomplicated Firewall (UFW) main configuration file for setting default policies /etc/default/ufw.
Supported Platforms: Linux
auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831
1
sh
1
2
echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw
1
sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw
1
sh
1
if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi
1
echo ""
Print the last 10 lines of the Uncomplicated Firewall (UFW) log file /var/log/ufw.log.
Supported Platforms: Linux
auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
1
sh
1
tail /var/log/ufw.log
1
1
sh
1
if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi
1
echo ""
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables rules, which in fact “disable” iptables.
Supported Platforms: Linux
auto_generated_guid: 7784c64e-ed0b-4b65-bf63-c86db229fd56
1
sh
1
2
iptables-save > /tmp/iptables.rules
iptables -F
1
iptables-restore < /tmp/iptables.rules
1
sh
1
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
1
echo ""
Instead of completely “disabling” iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp. By doing so, they may cause less noise to avoid detection.
Supported Platforms: Linux
auto_generated_guid: 899a7fb5-d197-4951-8614-f19ac4a73ad4
1
sh
1
2
iptables-save > /tmp/iptables.rules
iptables -D OUTPUT -p tcp --dport 21 -j DROP
1
iptables-restore < /tmp/iptables.rules
1
sh
1
2
if [ ! -x "$(command -v iptables)" ]; then echo -e "\n***** iptables NOT installed *****\n"; exit 1; fi
if ! echo "$(iptables -L)" | grep -q "DROP .*dpt:ftp"; then echo -e "\n***** this firewall rule is NOT activated *****\n***** activate it by executing \"iptables -A OUTPUT -p tcp --dport 21 -j DROP\" *****\n"; exit 1; fi
1
echo ""
An adversary tries to modify the windows firewall registry
Supported Platforms: Windows
auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
1
command_prompt
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /f >nul 2>&1
An adversary tries to modify the windows firewall registry.
Supported Platforms: Windows
auto_generated_guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12
1
powershell
1
2
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force
1
2
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).
Supported Platforms: Windows
auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
1
command_prompt
netsh firewall set opmode mode=disable
netsh firewall set opmode mode=enable >nul 2>&1
Adversaries may disable the ESXI firewall via ESXCLI
Supported Platforms: Windows
auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | plink_file | Path to Putty | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | username | username used to log into ESXi | string | root| | password | password used to log into ESXI | string | n/a|
1
command_prompt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
1
powershell
1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
This test will attempt to create a new inbound/outbound firewall rule using the New-NetFirewallRule commandlet.
Supported Platforms: Windows
auto_generated_guid: 94be7646-25f6-467e-af23-585fb13000c8
| Name | Description | Type | Default Value | |——|————-|——|—————| | direction | Direction can be Inbound or Outbound | string | Inbound| | local_port | This is the local port you wish to test opening | integer | 21| | protocol | This is the protocol | string | TCP| | action | This is the action | string | allow|
1
powershell
1
New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}" -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
1
Remove-NetFirewallRule -DisplayName "New rule"