T1562.004: T1562.004
Essential information
- MITRE technique ID
T1562.004- Confidence
- 100/100
- Revoked
- No
- Published
- 21/02/2020 22:00
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
Disable or Modify System Firewall
Platforms
windows macos linux Network Devices ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (39)
-
Medusa Group relatedThe MITRE Corporation Confidence 100
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mercenary Akula relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Salt Typhoon relatedThe MITRE Corporation Confidence 100
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shai-Hulud relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Tadashi relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamTNT relatedThe MITRE Corporation Confidence 100
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The Gentlemen relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToddyCat relatedThe MITRE Corporation Confidence 100
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-7810 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC5337 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (79)
-
GHOSTKNIFE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VenomRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PsExec usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LODEINFO usesAlienVault Confidence 100
[LODEINFO](https://attack.mitre.org/software/S9020) is a fileless backdoor malware first identified in 2020 that has been used by actors including [MirrorFace](https://attack.mitre.org/groups/G1054), primarily against media, diplomatic, governmental, and public sector organizations in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GHOSTSABER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NanoCore usesFamily The MITRE Corporation Confidence 100
[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
HOPLIGHT usesFamily The MITRE Corporation Confidence 100
[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LV usesThe MITRE Corporation Confidence 100
[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sliver usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PureCrypter usesAlienVault Confidence 100
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PRIVATELOADER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (39)
-
AlienVault Confidence 100 6 CVEs 20 MITREs 5 Malwares 81 IOCs 4 Observables 1 APT
-
1 CVE 18 MITREs 2 Malwares 8 Observables
-
19 MITREs 3 Malwares 10 Observables 1 APT
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
6 CVEs 19 MITREs 3 Malwares 4 Observables
-
6 MITREs 1 Malware 2 Observables
-
9 MITREs 3 Malwares 10 Observables 1 APT
-
3 CVEs 16 MITREs 5 Observables
-
14 MITREs 1 Malware 2 Observables
-
26 MITREs 11 Observables
-
8 MITREs 1 Malware 9 Observables 1 APT
-
12 MITREs 4 Observables 1 APT
Vulnerabilities (CVE) (42)
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
- Published
- 03/11/2021
- Modified
- 21/12/2025
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated …
- Published
- 28/01/2026
- Modified
- 29/01/2026
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …
- Attack vector
- NETWORK
- Published
- 28/01/2020
- Modified
- 21/12/2025
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
A memory corruption issue was addressed with improved lock state checking. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 12/12/2025
- Modified
- 04/04/2026
- Published
- 20/12/2025
- Modified
- 21/12/2025
Campaign (2)
-
SolarWinds Compromise uses
-
APT28 Nearest Neighbor Campaign uses
Course Of Action (2)
-
Restrict File and Directory Permissions mitigates
-
User Account Management mitigates