1. Home
  2. Techniques
  3. Enterprise
  4. Disable or Modify System Firewall
  5. Windows Host Firewall

Disable or Modify System Firewall: Windows Host Firewall

ID Name
T1686.001 Cloud Firewall
T1686.002 Network Device Firewall
T1686.003 Windows Host Firewall

Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.[1]

Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., netsh advfirewall or PowerShell cmdlets like Set-NetFirewallProfile, New-NetFirewallRule), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.

By disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions.

ID: T1686.003
Sub-technique of:  T1686
Tactic: Defense Impairment
Platforms: Windows
Version: 1.0
Created: 14 April 2026
Last Modified: 22 April 2026
Version Permalink

Procedure Examples

ID Name Description
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.[1]
S0245 BADCALL

BADCALL disables the Windows firewall before binding to a port.[2]
S1181 BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware modifies the Windows firewall during execution.[3]
S0334 DarkComet

DarkComet can disable Security Center functions like the Windows Firewall.[4][5]
S0132 H1N1

H1N1 kills and disables services for Windows Firewall.[6]
S0246 HARDRAIN

HARDRAIN opens the Windows Firewall to modify incoming connections.[7]
S9023 HiddenFace

HiddenFace can reconfigure Windows firewalls to enable communication by adding a rule named "Cortana" to allow inbound connection to TCP/47000.[8][9]
G0032 Lazarus Group

Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. [10][11][12]
G0059 Magic Hound

Magic Hound has added the following rule to a victim's Windows firewall to allow RDP traffic - "netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389.[13][14]
G1054 MirrorFace

MirrorFace can modify the system firewall to allow communication to certain ports.[15]
G1009 Moses Staff

Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.[16]
S0385 njRAT

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[17][18]
G0049 OilRig

OilRig has modified Windows firewall rules to enable remote access.[19]
C0014 Operation Wocao

During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.[20]
S0125 Remsec

Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[21]
S0263 TYPEFRAME

TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.[22]
G1055 VOID MANTICORE

VOID MANTICORE has disabled Windows Defender protections to allow for follow-on activities within the compromised host.[23]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.
M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0901 Detect Windows Firewall AN2043

Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.

References

  1. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  2. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  3. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  4. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  5. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  6. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
  7. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  8. Breitenbacher, D. (2024). Unmasking HiddenFace. Retrieved April 17, 2026.
  9. Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
  10. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  11. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  12. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  1. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  2. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  3. Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
  4. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  5. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  6. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  7. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  9. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  10. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  11. Check Point Research. (2026, March 12). “Handala Hack” – Unveiling Group’s Modus Operandi. Retrieved April 20, 2026.