1. Home
  2. Techniques
  3. Enterprise
  4. Disable or Modify System Firewall
  5. Network Device Firewall

Disable or Modify System Firewall: Network Device Firewall

ID Name
T1686.001 Cloud Firewall
T1686.002 Network Device Firewall
T1686.003 Windows Host Firewall

Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.

Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.

Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application).[1]

Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.

ID: T1686.002
Sub-technique of:  T1686
Tactic: Defense Impairment
Platforms: Network Devices
Contributors: Marco Pedrinazzi, @pedrinazziM, InTheCyber; Tommaso Tosi, @tosto92, InTheCyber
Version: 1.0
Created: 14 April 2026
Last Modified: 22 April 2026
Version Permalink

Procedure Examples

ID Name Description
C0063 2025 Poland Wiper Attacks

During the 2025 Poland Wiper Attacks, the adversaries modified security settings within the victims Fortigate device, utilizing the native CLI. During the 2025 Poland Wiper Attacks, the adversaries also disabled network traffic logging.[2]
G0082 APT38

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. [3]

S0687 Cyclops Blink

Cyclops Blink can modify the Linux iptables firewall to enable C2 communication on network devices via a stored list of port numbers.[4][5]
S0531 Grandoreiro

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. [6]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
M1051 Update Software

Ensure the network firewall is up to date with security patches.
M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0306 Detection of Unauthorized Network Firewall Rule Modification AN0855

Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.

References

  1. NIST NVD. (2025, January 22). Retrieved September 22, 2025.
  2. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  3. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  1. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  2. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  3. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.