Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modify particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

Example:

Adversaries may modify or disable these firewall rules so that traffic is allowed Inbound/Outbound form the Workstation this can be helpful in Lateral Movement, Exfiltration or just Communication with our C2

In the upper image we see our default settings for our Firewall you see that all Inbound Connections are not allowed but can have outbound connections, we see that their state is ON to disable we do the following.

As we can see the user receives a pop-up warning that the firewall has been turned off.

Firewall Disabled now any outbound and inbound connections are available and other techniques that allow adversaries to achieve malicious intent is also available now.

PreviousImpair Command History Logging NextIndicator Blocking

Last updated 3 years ago