Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Отключение или перенастройка системного межсетевого экрана
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Отключение или перенастройка с...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impair Defenses:  Отключение или перенастройка системного межсетевого экрана

ID Название
.001 Отключение или перенастройка средств защиты
.002 Отключение журналирования событий Windows
.003 Повреждение журнала истории команд
.004 Отключение или перенастройка системного межсетевого экрана
.006 Блокировка сбора признаков активности
.007 Отключение или перенастройка облачного межсетевого экрана
.008 Отключение облачного журналирования
.009 Загрузка в безопасном режиме
.010 Атака через понижение версии

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

ID: T1562.004
Относится к технике:  T1562
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, Firewall: Firewall Disable, Firewall: Firewall Rule Modification, Windows Registry: Windows Registry Key Modification
Версия: 1.0
Дата создания: 21 Feb 2020
Последнее изменение: 29 Mar 2020

Примеры процедур
Название Описание
InvisiMole

InvisiMole has a command to disable routing and the Firewall on the victim’s machine.(Citation: ESET InvisiMole June 2018)
Carbanak

Carbanak may use netsh to add local firewall rule exceptions.(Citation: Group-IB Anunak)
NanoCore

NanoCore can modify the victim's firewall.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)
BADCALL

BADCALL disables the Windows firewall before binding to a port.(Citation: US-CERT BADCALL)
Rocke

Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.(Citation: Talos Rocke August 2018)

TeamTNT

TeamTNT has disabled iptables.(Citation: Aqua TeamTNT August 2020)
Operation Wocao

Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.(Citation: FoxIT Wocao December 2019)
H1N1

H1N1 kills and disables services for Windows Firewall.(Citation: Cisco H1N1 Part 2)
TYPEFRAME

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.(Citation: US-CERT TYPEFRAME June 2018)
Dragonfly

Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)
netsh

netsh can be used to disable local firewall settings.(Citation: TechNet Netsh)(Citation: TechNet Netsh Firewall)
PyDCrypt

PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` on remote machines.(Citation: Checkpoint MosesStaff Nov 2021)
Cyclops Blink

Cyclops Blink can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
Moses Staff

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.(Citation: Checkpoint MosesStaff Nov 2021)
njRAT

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
Grandoreiro

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.(Citation: ESET Grandoreiro April 2020)
UNC2452

UNC2452 used netsh to configure firewall rules that limited certain UDP outbound packets.(Citation: Microsoft Deep Dive Solorigate January 2021)
Remsec

Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.(Citation: Kaspersky ProjectSauron Technical Analysis)
ZxShell

ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.(Citation: Talos ZxShell Oct 2014)

DarkComet

DarkComet can disable Security Center functions like the Windows Firewall.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
CookieMiner

CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.(Citation: Unit42 CookieMiner Jan 2019)
Magic Hound

Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - `"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389`.(Citation: DFIR Report APT35 ProxyShell March 2022)

During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.(Citation: FoxIT Wocao December 2019)
APT29

APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.(Citation: Microsoft Deep Dive Solorigate January 2021)
Lazarus Group

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)
APT38

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation: CISA AA20-239A BeagleBoyz August 2020)
Kimsuky

Kimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)
HOPLIGHT

HOPLIGHT has modified the firewall using netsh.(Citation: US-CERT HOPLIGHT Apr 2019)

HARDRAIN

HARDRAIN opens the Windows Firewall to modify incoming connections.(Citation: US-CERT HARDRAIN March 2018)
Dragonfly 2.0

Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
BACKSPACE

The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.(Citation: FireEye APT30)
Kasidet

Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.(Citation: Zscaler Kasidet)

Контрмеры
Контрмера Описание
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Обнаружение

Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  5. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  6. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  7. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  8. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  9. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  10. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  11. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  12. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  13. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  14. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  15. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  16. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  17. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  18. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  19. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  20. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  21. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  22. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  23. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  24. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  25. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  26. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  27. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  28. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  29. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  30. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  31. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  32. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  33. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  34. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  35. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  36. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  37. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.