Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)
Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1686 | Disable or Modify System Firewall | |
| action.hacking.variety.Disable controls | Disable or interfere with security controls | related-to | T1686 | Disable or Modify System Firewall |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1686.003 | Windows Host Firewall | 1 |
| T1686.002 | Network Device Firewall | 1 |
| T1686.001 | Cloud Firewall | 4 |