title: Disable or Modify System Firewall (T1562.004)
id: df00tech-t1562-004
status: experimental
description: "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done via command-line tools (netsh, iptables, ufw, pfctl), editing Windows Registry keys, or through the Windows Control Panel. On ESXi, firewall rules may be modified via esxcli. Adversaries may add new firewall rules for RDP on non-standard ports or open all traffic to enable C2, lateral movement, and data exfiltration."
references:
  - https://attack.mitre.org/techniques/T1562/004/
  - https://df00tech.com/detections/T1562.004
author: df00tech
date: 2026/04/20
tags:
  - attack.t1562.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators legitimately configuring firewall rules for new application deployments
  - "Automated deployment tools (Ansible, Puppet, Chef) that manage firewall rules as part of infrastructure-as-code"
  - Network troubleshooting where firewall is temporarily disabled and re-enabled within a change window
  - "Application installers that add firewall exceptions during setup (e.g., SQL Server, IIS)"
level: high