Skip to content

Hide Navigation Hide TOC

Firewall Enumeration (bf91faa8-0049-4870-810a-4df55e0b77ee)

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:

  • Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all.
  • Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS.
  • Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API. Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging.
  • Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud.

This data component can be collected through the following measures:

Cloud Control Plane

  • Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for az network firewall commands.
  • AWS CloudTrail: Monitor calls to DescribeSecurityGroups or DescribeNetworkAcls APIs. Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list or API calls to firewalls.list.

Host-Based Firewalls

  • Windows Event Logs: Use PowerShell transcription logs to capture commands like Get-NetFirewallRule.
  • Linux Auditd: Track executions of commands like iptables -L or ufw status using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum
  • macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools.

SIEM Integration

  • Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity.

Endpoint Detection and Response (EDR)

  • Use EDR tools to track enumeration commands or API calls performed on managed devices.

CSPM Tools

  • Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.
Cluster A Galaxy A Cluster B Galaxy B Level
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Firewall Enumeration (bf91faa8-0049-4870-810a-4df55e0b77ee) mitre-data-component 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Firewall Enumeration (bf91faa8-0049-4870-810a-4df55e0b77ee) mitre-data-component 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2