EXPLORE
Sign In
← Back to Explore
T1686

Disable or Modify System Firewall

Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., addi...

ESXiLinuxmacOSNetwork DevicesWindows
19
Detections
2
Sources
13
Threat Actors

BY SOURCE

12splunk_escu7sigma

PROCEDURES (13)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Anomal2 detections

Auto-extracted: 2 detections for anomal

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Event Log1 detections

Auto-extracted: 1 detections for event log

THREAT ACTORS (13)

APT38BlackByteCarbanakDragonflyFIN7KimsukyMedusa GroupRockeSalt TyphoonTeamTNTToddyCatUNC3886Velvet Ant

DETECTIONS (19)

Bpfdoor TCP Ports Redirect
sigmamedium
Disable System Firewall
sigmahigh
Disabling Security Tools
sigmamedium
Disabling Security Tools - Builtin
sigmamedium
ESXi Firewall Disabled
splunk_escu
Firewall Allowed Program Enable
splunk_escu
Flush Iptables Ufw Chain
sigmamedium
Linux Auditd Disable Or Modify System Firewall
splunk_escu
Linux Iptables Firewall Modification
splunk_escu
Linux Stdout Redirection To Dev Null File
splunk_escu
Microsoft Intune DeviceManagementConfigurationPolicies
splunk_escu
Modify System Firewall
sigmamedium
Processes launching netsh
splunk_escu
Ufw Force Stop Using Ufw-Init
sigmamedium
Windows Delete or Modify System Firewall
splunk_escu
Windows Firewall Rule Added
splunk_escu
Windows Firewall Rule Deletion
splunk_escu
Windows Firewall Rule Modification
splunk_escu
Windows Modify System Firewall with Notable Process Path
splunk_escu