T1562.007 Disable or Modify Cloud Firewall Mappings

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1562.007 Disable or Modify Cloud Firewall
AC-03 Access Enforcement Protects T1562.007 Disable or Modify Cloud Firewall
AC-05 Separation of Duties Protects T1562.007 Disable or Modify Cloud Firewall
AC-06 Least Privilege Protects T1562.007 Disable or Modify Cloud Firewall
CM-05 Access Restrictions for Change Protects T1562.007 Disable or Modify Cloud Firewall
IA-02 Identification and Authentication (organizational Users) Protects T1562.007 Disable or Modify Cloud Firewall