TH16113
Detected presence of software components that can tamper with the system network settings.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. Operating systems include a complete network stack with many services that allow the machine to connect to the internet. Some of these services are used to secure network access. For that reason, attackers often aim to tamper with system network settings. Disabling firewalls and other network security features enable the malicious code to execute without being blocked. While the presence of code that tampers with system network settings does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that interact with system network settings. One example of acceptable use for such functions is allowing specialized applications to use non-standard network ports by updating the firewall allowlist.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1562.004 - Disable or Modify System Firewall.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1562.004 - Disable or Modify System Firewall (External resource - Mitre ATT&CK documentation)
- Firewall (External resource - Wikipedia)