T1562.004: T1562.004

216.73.216.233

View on MITRE ATT&CK The MITRE Corporation · Published 21/02/2020 22:00 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1562.004
Confidence: 100/100
Revoked: No
Published: 21/02/2020 22:00
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Disable or Modify System Firewall

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules. In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion