Impair Defenses: Disable or Modify System Firewall

Created the Tuesday 07 February 2023. Updated 6 months, 3 weeks ago.

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

Technique Identifier

T1562.004

Technique Tags

Defense Evasion bypass firewall disable firewall modify firewall rules APT29 APT38 enable adversary C2 communications lateral movement data exfiltration

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Impair Defenses: Disable or Modify System Firewall, Sub-technique T1562.004 - Enterprise | MITRE ATT&CK®