Firewall

A remote, anonymous attacker can exploit multiple vulnerabilities in OPNsense to bypass security measures and execute arbitrary code, potentially leading to complete system compromise.

Multiple vulnerabilities in SonicWall firewalls could allow an attacker to cause a remote denial of service and security policy bypass, potentially disrupting network services and compromising security controls.

The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.

An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.

An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.