MITRE ATT&CK Technique
Description
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti) Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules. In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T21:00:48.814Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may disable or modify system firewalls in order '
'to bypass controls limiting network usage. Changes could be '
'disabling the entire mechanism as well as adding, deleting, '
'or modifying particular rules. This can be done numerous ways '
'depending on the operating system, including via '
'command-line, editing Windows Registry keys, and Windows '
'Control Panel.\n'
'\n'
'Modifying or disabling a system firewall may enable adversary '
'C2 communications, lateral movement, and/or data exfiltration '
'that would otherwise not be allowed. For example, adversaries '
'may add a new firewall rule for a well-known protocol (such '
'as RDP) using a non-traditional and potentially less '
'securitized port (i.e. [Non-Standard '
'Port](https://attack.mitre.org/techniques/T1571)).(Citation: '
'change_rdp_port_conti)\n'
'\n'
'Adversaries may also modify host networking settings that '
'indirectly manipulate system firewalls, such as interface '
'bandwidth or network connection request thresholds.(Citation: '
'Huntress BlackCat) Settings related to enabling abuse of '
'various [Remote '
'Services](https://attack.mitre.org/techniques/T1021) may also '
'indirectly modify firewall rules.\n'
'\n'
'In ESXi, firewall rules may be modified directly via the '
'esxcli command line interface (e.g., via `esxcli network '
'firewall set`) or via the vCenter user interface.(Citation: '
'Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)',
'external_references': [{'external_id': 'T1562.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/004'},
{'description': 'Broadcom. (2025, March 24). Add '
'Allowed IP Addresses for an ESXi '
'Host by Using the VMware Host '
'Client. Retrieved March 26, 2025.',
'source_name': 'Broadcom ESXi Firewall',
'url': 'https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/add-allowed-ip-addresses-for-an-esxi-host-by-using-the-vmware-host-client.html'},
{'description': 'Carvey, H. (2024, February 28). '
'BlackCat Ransomware Affiliate TTPs. '
'Retrieved March 27, 2024.',
'source_name': 'Huntress BlackCat',
'url': 'https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps'},
{'description': 'Pham Duy Phuc, Max Kersten, Noël '
'Keijzer, and Michaël Schrijver. '
'(2024, February 14). RansomHouse am '
'See. Retrieved March 26, 2025.',
'source_name': 'Trellix Rnasomhouse 2024',
'url': 'https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/'},
{'description': 'The DFIR Report. (2022, March 1). '
'"Change RDP port" #ContiLeaks. '
'Retrieved September 12, 2024.',
'source_name': 'change_rdp_port_conti',
'url': 'https://x.com/TheDFIRReport/status/1498657772254240768'}],
'id': 'attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:47.755Z',
'name': 'Disable or Modify System Firewall',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Network Devices', 'Windows'],
'x_mitre_version': '1.3'}