T1562.013 Disable or Modify Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.1
Adversaries may gain access to the firewall management console via Valid Accounts or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet Exploit Public-Facing Application.2
| Item | Value |
|---|---|
| ID | T1562.013 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011, T1562.012, T1562.013 |
| Tactics | TA0005 |
| Platforms | Network Devices |
| Version | 1.0 |
| Created | 22 September 2025 |
| Last Modified | 22 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0082 | APT38 | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. 4 |
| S0531 | Grandoreiro | Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. |
| M1051 | Update Software | Ensure the network firewall is up to date with security patches. |
| M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
References
-
InTheCyber. (2025, March 24). Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware (CVE-2024–55591). Retrieved September 22, 2025. ↩
-
NIST NVD. (2025, January 22). Retrieved September 22, 2025. ↩
-
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩