T1562.004 Disable or Modify System Firewall Mappings

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)

Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.004 Disable or Modify System Firewall

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_inspector Amazon Inspector technique_scores T1562.004 Disable or Modify System Firewall
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References