turbot/tailpipe-mod-aws-cloudtrail-log-detections

Benchmark: T1562.004 Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).

Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds. Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detections

Start the Powerpipe server:

powerpipe server

Open http://localhost:9033 in your browser and select T1562.004 Disable or Modify System Firewall.

Run this benchmark in your terminal:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0005_t1562_004

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161_ta0005_t1562_004 --share

Detections

Tags