V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
← Back to List
T1686Enterprise
Matrix: Enterprise
Status: Active
STIX: 19.0
Source ↗

Disable or Modify System Firewall

Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port. Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.

Tactics

Defense Impairment

Sub-techniques

T1686.001
Cloud Firewall
T1686.002
Network Device Firewall
T1686.003
Windows Host Firewall

Platforms

ESXiLinuxmacOSNetwork DevicesWindows

Mitigations

M1018
User Account Management
M1022
Restrict File and Directory Permissions
M1024
Restrict Registry Permissions
M1047
Audit
Open in catalog with ATT&CK filter →

Related CAPECs

Affected vulnerabilities (Inferred)

View on attack.mitre.org ↗
No matches — refine the filter to see a result.