Firewall

This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.

Multiple vulnerabilities have been disclosed in SonicWall Gen6 and Gen7 firewalls, SonicOS, and NSv that can be exploited for authentication bypass, remote code execution, and privilege escalation, specifically CVE-2024-40762, CVE-2024-53704, CVE-2024-53705, and CVE-2024-53706; a proof of concept exploit is available for CVE-2024-53704, which, if exploited, can lead to internal network access and further attacks, including ransomware deployment.

A buffer overflow vulnerability in Palo Alto Networks PAN-OS IKEv2 processing (CVE-2026-0263) allows unauthenticated network-based attackers to execute arbitrary code with elevated privileges or cause a denial of service, affecting versions 12.1, 11.2, and 11.1 when configured with Post Quantum Cryptography (PQC).

Multiple vulnerabilities in SonicWall firewalls could allow an attacker to cause a remote denial of service and security policy bypass, potentially disrupting network services and compromising security controls.

SonicWall released a security advisory to address vulnerabilities in Gen6, Gen7, and Gen8 firewalls and SonicOS, urging users to update affected firmware versions to mitigate potential exploits.

The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.

An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.

An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

This detection identifies instances where a Windows Firewall rule has been modified, potentially indicating an attempt to weaken security policies and allow malicious traffic or prevent legitimate communications.

Detection of Windows Firewall rule deletion events (Event ID 4948) indicating potential attacker attempts to bypass security controls or malware disabling protections for persistence and command-and-control.

This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log, potentially indicating unauthorized changes or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms.

This analytic detects suspicious modifications to system firewall rules to allow execution of applications from notable and potentially malicious file paths, indicating an attempt to bypass firewall restrictions for malicious code execution.

Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.

This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.

Detection of firewall rule modification to allow specific application execution, potentially bypassing restrictions and enabling unauthorized network communication.

This detection identifies when the ESXi firewall is disabled or set to permissive mode, potentially exposing the host to unauthorized access and network-based attacks, often preceding lateral movement, data exfiltration, or malware installation.

The analytic detects suspicious disabling or modification of the system firewall on Linux systems, which can indicate unauthorized access or attempts to maintain control over a system by disabling host protections.