Impair Defenses: Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).[1]

Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.[2] Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.

In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via esxcli network firewall set) or via the vCenter user interface.[3][4]

ID: T1562.004
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Version: 1.3
Created: 21 February 2020
Last Modified: 15 April 2025

Procedure Examples

ID Name Description
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.[5]

G0082 APT38

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.[6]

S0031 BACKSPACE

The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.[7]

S0245 BADCALL

BADCALL disables the Windows firewall before binding to a port.[8]

G1043 BlackByte

BlackByte modified firewall rules on victim machines to enable remote system discovery.[9][10]

S1181 BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware modifies the Windows firewall during execution.[11]

S1161 BPFDoor

BPFDoor starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local iptables rules to redirect all packets from the attacker to the shell port.[12]

G0008 Carbanak

Carbanak may use netsh to add local firewall rule exceptions.[13]

S0492 CookieMiner

CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[14]

S0687 Cyclops Blink

Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.[15][16]

S0334 DarkComet

DarkComet can disable Security Center functions like the Windows Firewall.[17][18]

G0035 Dragonfly

Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.[19]

S0531 Grandoreiro

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.[20]

S0132 H1N1

H1N1 kills and disables services for Windows Firewall.[21]

S1211 Hannotog

Hannotog can modify local firewall settings via netsh commands to open a listening UDP port.[22]

S0246 HARDRAIN

HARDRAIN opens the Windows Firewall to modify incoming connections.[23]

S0376 HOPLIGHT

HOPLIGHT has modified the firewall using netsh.[24]

S0260 InvisiMole

InvisiMole has a command to disable routing and the Firewall on the victim’s machine.[25]

S0088 Kasidet

Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.[26]

G0094 Kimsuky

Kimsuky has been observed disabling the system firewall.[27]

G0032 Lazarus Group

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. [28][29][30]

C0049 Leviathan Australian Intrusions

Leviathan modified system firewalls to add two open listening ports on 9998 and 9999 during Leviathan Australian Intrusions.[31]

G0059 Magic Hound

Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.[32][33]

G1009 Moses Staff

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[34]

S0336 NanoCore

NanoCore can modify the victim's firewall.[35][36]

S0108 netsh

netsh can be used to disable local firewall settings.[37][38]

S0385 njRAT

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[39][40]

G0049 OilRig

OilRig has modified Windows firewall rules to enable remote access.[41]

C0014 Operation Wocao

During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.[42]

S0013 PlugX

PlugX has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity.[43]

S1032 PyDCrypt

PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using netsh.exe on remote machines.[34]

S0125 Remsec

Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[44]

G0106 Rocke

Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.[45]

G1045 Salt Typhoon

Salt Typhoon has made changes to the Access Control List (ACL) and loopback interface address on compromised devices.[46]

S1178 ShrinkLocker

ShrinkLocker turns on the system firewall and deletes all of its rules during execution.[47][48]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.[49]

G0139 TeamTNT

TeamTNT has disabled iptables.[50]

G1022 ToddyCat

Prior to executing a backdoor ToddyCat has run cmd /c start /b netsh advfirewall firewall add rule name="SGAccessInboundRule" dir=in protocol=udp action=allow localport=49683 to allow the targeted system to receive UDP packets on port 49683.[51]

S0263 TYPEFRAME

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[52]

G1047 Velvet Ant

Velvet Ant modified system firewall settings during PlugX installation using netsh.exe to open a listening, random high number port on victim devices.[43]

S0412 ZxShell

ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.[53]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.

M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes,ufw disable, and ufw logging off. On ESXi hosts, monitor for commands such as esxcli network firewall set –enabled=false or esxcli network firewall ruleset set --ruleset-id=<rulename> --enabled=true.[3]

DS0018 Firewall Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

Firewall Rule Modification

Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows Registry keys and/or values that adversaries might use to disable or modify System Firewall settings such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.

References

  1. The DFIR Report. (2022, March 1). "Change RDP port" #ContiLeaks. Retrieved September 12, 2024.
  2. Carvey, H. (2024, February 28). BlackCat Ransomware Affiliate TTPs. Retrieved March 27, 2024.
  3. Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.
  4. Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client. Retrieved March 26, 2025.
  5. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  6. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  7. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  8. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  9. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  10. Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
  11. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  12. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  13. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  14. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  15. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  16. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  17. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  18. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  19. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  20. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  21. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
  22. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  23. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  24. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  25. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  26. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  27. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  4. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  5. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  6. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  7. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  8. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  9. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  10. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  11. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  12. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  13. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  14. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  15. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  16. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  17. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  18. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  19. Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025.
  20. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  21. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
  22. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  23. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  24. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  25. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  26. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.