Description
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application).(Citation: CVE-2024-55591 Detail)
Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.
Platforms
Mitigations (3)
Update SoftwareM1051
Ensure the network firewall is up to date with security patches.
AuditM1047
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
User Account ManagementM1018
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. (Citatio... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. (Citation: ESE... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) can modify the Linux iptables firewall to enable C2 communication on network devices via a st... |
References
Frequently Asked Questions
What is T1686.002 (Network Device Firewall)?
T1686.002 is a MITRE ATT&CK technique named 'Network Device Firewall'. It belongs to the Defense Impairment tactic(s). Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Adversaries may obtain acces...
How can T1686.002 be detected?
Detection of T1686.002 (Network Device Firewall) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1686.002?
There are 3 documented mitigations for T1686.002. Key mitigations include: Update Software, Audit, User Account Management.
Which threat groups use T1686.002?
Known threat groups using T1686.002 include: APT38.