Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
-
Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
-
Atomic Test #5 - Open a local port through Windows Firewall to any profile
-
Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
Disables the iptables firewall
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
chkconfig off iptables
service ip6tables stop
chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop firewalld
systemctl disable firewalld
fiDisables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
Supported Platforms: Windows
netsh advfirewall set currentprofile state offnetsh advfirewall set currentprofile state on >nul 2>&1Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
Supported Platforms: Windows
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yesnetsh advfirewall reset >nul 2>&1This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
Supported Platforms: Windows
netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1This test will attempt to open a local port defined by input arguments to any profile
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| local_port | This is the local port you wish to test opening | integer | 3389 |
netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=anynetsh advfirewall firewall delete rule name="Open Port to Any"This test will attempt to allow an executable through the system firewall located in the Users directory
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| exe_file_path | path to exe file | path | PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe |
netsh advfirewall firewall add rule name="Atomic Test" dir=in action=allow program="C:\Users\$env:UserName\AtomicTest.exe" enable=yesnetsh advfirewall firewall delete rule name="Atomic Test"if (Get-Item "C:\Users\$env:UserName\AtomicTest.exe") {exit 0} else {exit 1} Copy-Item #{exe_file_path} -Destination "C:\Users\$env:UserName"