Picus Security Analyzes MITRE ATT&CK Technique T1562.004
Picus Security has published an analysis of the MITRE ATT&CK® technique T1562.004, "Impair Defenses: Disable or Modify System Firewall." The technique allows adversaries to bypass security controls by manipulating firewall settings.
Cybersecurity firm Picus Security has detailed the MITRE ATT&CK® technique T1562.004, "Impair Defenses: Disable or Modify System Firewall." This technique describes how network firewall configurations are manipulated to circumvent security monitoring and facilitate malicious activities.
Attackers leverage the disabling or modification of firewalls to bypass security measures, move laterally within a network, exfiltrate data, or establish persistent command-and-control (C2) channels without detection. Firewalls are critical security mechanisms designed to monitor and control network traffic, preventing unauthorized access.
Picus Security's analysis demonstrates how adversaries utilize commands like iptables on Linux systems and the netsh utility on Windows to alter firewall rules or even shut down the firewall service entirely. The report highlights examples such as the XMRig cryptominer and Phobos ransomware, which have exploited these methods.
In some instances, attackers add permissive rules to firewalls for specific IP addresses or domains they control. Others may attempt to disable logging or alerting features that would normally help detect malicious activity. The analysis underscores that even seemingly benign exceptions within firewall rules can be exploited to establish malicious connections.