Description
Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)
Adversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)
Platforms
Sub-Techniques (3)
Mitigations (4)
AuditM1047
Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
Restrict Registry PermissionsM1024
Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
Restrict File and Directory PermissionsM1022
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
User Account ManagementM1018
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
Threat Groups (13)
| ID | Group | Context |
|---|---|---|
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has disabled <code>iptables</code>.(Citation: Aqua TeamTNT August 2020) |
| G1022 | ToddyCat | Prior to executing a backdoor [ToddyCat](https://attack.mitre.org/groups/G1022) has run `cmd /c start /b netsh advfirewall firewall add rule name="SG... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) modified firewall rules on victim machines to enable remote system discovery.(Citation: Picus Black... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) modified system firewall settings during [PlugX](https://attack.mitre.org/software/S0013) installa... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized [PsExec](https://attack.mitre.org/software/S0029) to execute batch scripts that mod... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.(Citation... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898.... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013) |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) used scripts which killed processes and added firewall rules to block traffic related to other cryptomi... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has made changes to the Access Control List (ACL) and loopback interface address on compromised ... |
| G0008 | Carbanak | [Carbanak](https://attack.mitre.org/groups/G0008) may use [netsh](https://attack.mitre.org/software/S0108) to add local firewall rule exceptions.(Cita... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the TABLEFLIP traffic redirection utility and the esxcli command line to modify firewall ru... |
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has a command to disable routing and the Firewall on the victim’s machine.(Citation: ESET Invisi... |
| S1223 | THINCRUST | Malware | [THINCRUST](https://attack.mitre.org/software/S1223) can use the Django python module "django.views.decorators.csrf” along with the decorator “csrf_ex... |
| S0108 | netsh | Tool | [netsh](https://attack.mitre.org/software/S0108) can be used to disable local firewall settings.(Citation: TechNet Netsh)(Citation: TechNet Netsh Fire... |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has modified the firewall using [netsh](https://attack.mitre.org/software/S0108).(Citation: US-CER... |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) has checked for the presence of "Little Snitch", macOS network monitoring and application firew... |
| S1032 | PyDCrypt | Malware | [PyDCrypt](https://attack.mitre.org/software/S1032) has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` ... |
| S0088 | Kasidet | Malware | [Kasidet](https://attack.mitre.org/software/S0088) has the ability to change firewall settings to allow a plug-in to be downloaded.(Citation: Zscaler ... |
| S1211 | Hannotog | Malware | [Hannotog](https://attack.mitre.org/software/S1211) can modify local firewall settings via `netsh` commands to open a listening UDP port.(Citation: Sy... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has modified local firewall rules on victim machines to enable a random, high-number listening port f... |
| S0336 | NanoCore | Malware | [NanoCore](https://attack.mitre.org/software/S0336) can modify the victim's firewall.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCo... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) can disable the firewall by modifying the registry key <code>HKLM\SYSTEM\CurrentControlSet\Services... |
| S1161 | BPFDoor | Malware | [BPFDoor](https://attack.mitre.org/software/S1161) starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local `iptables` ... |
| S0031 | BACKSPACE | Malware | The "ZR" variant of [BACKSPACE](https://attack.mitre.org/software/S0031) will check to see if known host-based firewalls are installed on the infected... |
| S1178 | ShrinkLocker | Malware | [ShrinkLocker](https://attack.mitre.org/software/S1178) turns on the system firewall and deletes all of its rules during execution.(Citation: Kaspersk... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.(Citation: ESET... |
References
- Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client. Retrieved March 26, 2025.
- Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.
- The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1686 (Disable or Modify System Firewall)?
T1686 is a MITRE ATT&CK technique named 'Disable or Modify System Firewall'. It belongs to the Defense Impairment tactic(s). Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with f...
How can T1686 be detected?
Detection of T1686 (Disable or Modify System Firewall) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1686?
There are 4 documented mitigations for T1686. Key mitigations include: Audit, Restrict Registry Permissions, Restrict File and Directory Permissions, User Account Management.
Which threat groups use T1686?
Known threat groups using T1686 include: TeamTNT, ToddyCat, BlackByte, Velvet Ant, Medusa Group, APT38, FIN7, Dragonfly.