Disable or Modify Network Device Firewall - T1562.013 (a0f84e1d-d25c-4dd1-bb26-3c0e68471530)
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware)
Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet Exploit Public-Facing Application.(Citation: CVE-2024-55591 Detail)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) | Attack Pattern | Disable or Modify Network Device Firewall - T1562.013 (a0f84e1d-d25c-4dd1-bb26-3c0e68471530) | Attack Pattern | 1 |