MITRE ATT&CK Technique
Defense Evasion T1562.007
Description

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for [Brute Force](https://attack.mitre.org/techniques/T1110) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).

Supported Platforms
IaaS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-06-24T16:55:46.243Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may disable or modify a firewall within a cloud '
                'environment to bypass controls that limit access to cloud '
                'resources. Cloud firewalls are separate from system firewalls '
                'that are described in [Disable or Modify System '
                'Firewall](https://attack.mitre.org/techniques/T1562/004). \n'
                '\n'
                'Cloud environments typically utilize restrictive security '
                'groups and firewall rules that only allow network activity '
                'from trusted IP addresses via expected ports and protocols. '
                'An adversary with appropriate permissions may introduce new '
                'firewall rules or policies to allow access into a victim '
                'cloud environment and/or move laterally from the cloud '
                'control plane to the data plane. For example, an adversary '
                'may use a script or utility that creates new ingress rules in '
                'existing security groups (or creates new security groups '
                'entirely) to allow any TCP/IP connectivity to a cloud-hosted '
                'instance.(Citation: Palo Alto Unit 42 Compromised Cloud '
                'Compute Credentials 2022) They may also remove networking '
                'limitations to support traffic associated with malicious '
                'activity (such as cryptomining).(Citation: Expel IO Evil in '
                'AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute '
                'Credentials 2022)\n'
                '\n'
                'Modifying or disabling a cloud firewall may enable adversary '
                'C2 communications, lateral movement, and/or data exfiltration '
                'that would otherwise not be allowed. It may also be used to '
                'open up resources for [Brute '
                'Force](https://attack.mitre.org/techniques/T1110) or '
                '[Endpoint Denial of '
                'Service](https://attack.mitre.org/techniques/T1499). ',
 'external_references': [{'external_id': 'T1562.007',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1562/007'},
                         {'description': 'A. Randazzo, B. Manahan and S. '
                                         'Lipton. (2020, April 28). Finding '
                                         'Evil in AWS. Retrieved June 25, '
                                         '2020.',
                          'source_name': 'Expel IO Evil in AWS',
                          'url': 'https://expel.io/blog/finding-evil-in-aws/'},
                         {'description': 'Dror Alon. (2022, December 8). '
                                         'Compromised Cloud Compute '
                                         'Credentials: Case Studies From the '
                                         'Wild. Retrieved March 9, 2023.',
                          'source_name': 'Palo Alto Unit 42 Compromised Cloud '
                                         'Compute Credentials 2022',
                          'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'}],
 'id': 'attack-pattern--77532a55-c283-4cd2-bc5d-2d0b65e9d88c',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:58.515Z',
 'name': 'Disable or Modify Cloud Firewall',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Expel', 'Arun Seelagan, CISA'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['IaaS'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About