title: Disable or Modify Cloud Firewall (T1562.007)
id: df00tech-t1562-007
status: experimental
description: "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, adversaries may create new ingress rules in existing security groups or create new security groups entirely to allow any TCP/IP connectivity."
references:
  - https://attack.mitre.org/techniques/T1562/007/
  - https://df00tech.com/detections/T1562.007
author: df00tech
date: 2026/04/20
tags:
  - attack.t1562.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Cloud infrastructure teams deploying new services with appropriate security group configurations
  - "Infrastructure-as-Code pipelines (Terraform, CloudFormation, ARM templates) that manage security groups during deployment"
  - Auto-scaling events that create temporary security groups for new instances
level: high