T1686: Disable or Modify System Firewall

216.73.217.64

T1686: Disable or Modify System Firewall

View on MITRE ATT&CK The MITRE Corporation · Published 04/05/2026 16:33 · Modified 04/05/2026 16:33

Essential information

MITRE technique ID: T1686
Confidence: 75/100
Revoked: No
Published: 04/05/2026 16:33
Modified: 04/05/2026 16:33
Author / Source: The MITRE Corporation

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti) Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-impairment
mitre-attack-v19	defense-impairment