Description
Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity)
Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., netsh advfirewall or PowerShell cmdlets like Set-NetFirewallProfile, New-NetFirewallRule), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.
By disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions.
Platforms
Mitigations (4)
Restrict File and Directory PermissionsM1022
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
Restrict Registry PermissionsM1024
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
User Account ManagementM1018
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
AuditM1047
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) can modify the system firewall to allow communication to certain ports.(Citation: JPCERT MirrorFac... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has modified Windows firewall rules to enable remote access.(Citation: Symantec Crambus OCT 2023) |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has used batch scripts that can disable the Windows firewall on specific remote machines.(Citatio... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has disabled Windows Defender protections to allow for follow-on activities within the comprom... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has added the following rule to a victim's Windows firewall to allow RDP traffic - `"netsh" advfi... |
| G0032 | Lazarus Group | Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware modifies the Windows firewall to allow incoming connections or disable it entir... |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S0245 | BADCALL | Malware | [BADCALL](https://attack.mitre.org/software/S0245) disables the Windows firewall before binding to a port.(Citation: US-CERT BADCALL) |
| S0334 | DarkComet | Malware | [DarkComet](https://attack.mitre.org/software/S0334) can disable Security Center functions like the Windows Firewall.(Citation: TrendMicro DarkComet S... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can add or remove applications or ports on the Windows firewall or disable it entirely.(Citation: Ka... |
| S0263 | TYPEFRAME | Malware | [TYPEFRAME](https://attack.mitre.org/software/S0263) can open the Windows Firewall on the victim’s machine to allow incoming connections.(Citation: US... |
| S0132 | H1N1 | Malware | [H1N1](https://attack.mitre.org/software/S0132) kills and disables services for Windows Firewall.(Citation: Cisco H1N1 Part 2) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fide... |
| S0246 | HARDRAIN | Malware | [HARDRAIN](https://attack.mitre.org/software/S0246) opens the Windows Firewall to modify incoming connections.(Citation: US-CERT HARDRAIN March 2018) |
| S1181 | BlackByte 2.0 Ransomware | Malware | [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) modifies the Windows firewall during execution.(Citation: Microsoft BlackByte 2023... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can reconfigure Windows firewalls to enable communication by adding a rule named “Cortana” to a... |
References
Frequently Asked Questions
What is T1686.003 (Windows Host Firewall)?
T1686.003 is a MITRE ATT&CK technique named 'Windows Host Firewall'. It belongs to the Defense Impairment tactic(s). Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (dom...
How can T1686.003 be detected?
Detection of T1686.003 (Windows Host Firewall) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1686.003?
There are 4 documented mitigations for T1686.003. Key mitigations include: Restrict File and Directory Permissions, Restrict Registry Permissions, User Account Management, Audit.
Which threat groups use T1686.003?
Known threat groups using T1686.003 include: MirrorFace, OilRig, Moses Staff, VOID MANTICORE, Magic Hound, Lazarus Group.