Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)
Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-3 | Access Enforcement | Protects | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-5 | Separation of Duties | Protects | T1562.007 | Disable or Modify Cloud Firewall | |
| AC-6 | Least Privilege | Protects | T1562.007 | Disable or Modify Cloud Firewall | |
| CM-5 | Access Restrictions for Change | Protects | T1562.007 | Disable or Modify Cloud Firewall | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1562.007 | Disable or Modify Cloud Firewall |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1562.007 | Disable or Modify Cloud Firewall |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: "Azure Network Security Group NSG Administrative Operations" query can identify potential defensive evasion involving changing or disabling network access rules. "Port opened for an Azure Resource" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration.
The Azure Sentinel Analytics "Security Service Registry ACL Modification" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.
References
|