T1686.003

Windows Host Firewall

SUB-TECHNIQUE Defense Impairment

Description

Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity)Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., `netsh advfirewall` or PowerShell cmdlets like `Set-NetFirewallProfile`, `New-NetFirewallRule`), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.By disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions.

Platforms

Windows

Mitigations

M1022 — Restrict File and Directory Permissions
M1024 — Restrict Registry Permissions
M1018 — User Account Management
M1047 — Audit

Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →