Skip to content

Hide Navigation Hide TOC

Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f)

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

  • Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
  • Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
  • Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
  • Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
  • Platform-Specific Scenarios
    • Azure: Altering rules in an Azure Network Security Group (NSG).
    • AWS: Modifying Security Group rules to allow traffic.
    • Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure: Collect rule modification logs from Azure Firewall Activity Logs.
    • Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
  • AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions. Example: aws ec2 describe-security-groups
  • Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

  • Windows:
    • Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
    • Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
  • Linux:
    • Monitor iptables or nftables rule modifications: iptables -L -v
    • Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
  • macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

  • Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

  • Monitor API calls for firewall rule modifications.
Cluster A Galaxy A Cluster B Galaxy B Level
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Wi-Fi Networks - T1669 (fde016f6-211a-41c8-a4ab-301f1e419c62) Attack Pattern Firewall Rule Modification (d2ff4b56-8351-4ed8-b0fb-d8605366005f) mitre-data-component 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Disable or Modify Cloud Firewall - T1562.007 (77532a55-c283-4cd2-bc5d-2d0b65e9d88c) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc) Attack Pattern 2