T1686.001: Cloud Firewall

Cloud Firewall matters because a single permissioned change to cloud security groups or firewall rules can turn a restricted cloud workload into an exposed or more easily reachable target. For leaders, the issue is not only network control failure; it is whether identity permissions, change auditing, and SOC visibility are strong enough to distinguish approved access changes from adversary-enabled access.

Executive priority

Prioritize this as a cloud resilience and governance control issue for IaaS environments. Executives should ask who can change cloud firewall rules, how quickly unauthorized changes would be noticed, and whether audit evidence can show why a rule was created, changed, or removed. This technique is especially relevant to incident decision-making because firewall modification may enable access to cloud resources or lateral movement from the cloud control plane to the data plane.

Technical view

For SOC, detection engineering, cloud security, and IR teams, validate monitoring around creation, deletion, or modification of cloud firewall rules, security groups, and related policies. Focus on changes that broaden ingress access, remove expected restrictions, permit unexpected ports or protocols, or create new security groups inconsistent with normal administrative workflows. Because ATT&CK provides no official detection text for this object, use the related DET0424 detection strategy as a reference point, then prove coverage with local cloud audit logs, configuration state, and identity context. Relationship context also notes Pacu, an open-source AWS exploitation framework, uses this behavior, so detections should not depend on a single tool name or signature.

Likely telemetry

Cloud control-plane audit logs for firewall, security group, and network policy changes
Configuration history or cloud asset inventory showing before-and-after rule state
Identity and access management events for users, roles, sessions, and permission use tied to firewall changes
Network flow or connection metadata showing new access paths after rule changes
Change management records or approved deployment activity for false-positive reduction

Detection direction

Validate alerting for firewall or security group changes that allow broad ingress, unexpected TCP/IP connectivity, or removal of trusted IP, port, or protocol restrictions.
Correlate each network-control change with the actor identity, role/session context, source location where available, and approved change record.
Tune for expected infrastructure-as-code, deployment, and emergency access workflows to reduce false positives without suppressing high-risk exposure changes.
Look for sequences where permission use, security group creation or modification, and new network connectivity occur close together.
Do not rely only on workload-level telemetry; this behavior occurs in the cloud control plane and may not be visible from the instance alone.

Mitigation priorities

Enforce least privilege for accounts and roles that can modify cloud firewall rules, aligned to the related User Account Management mitigation M1018.
Regularly audit firewall rules, security groups, and network policies for overly broad access, unexpected changes, and stale exceptions, aligned to M1047 Audit.
Require accountable change processes for firewall modifications, including review of emergency or temporary rules.
Maintain configuration baselines so responders can quickly identify and roll back unauthorized or risky changes.
Ensure audit logging and retention are sufficient to support SOC triage, incident response, and compliance evidence for cloud network-control changes.

Analyst notes and limits

This object is a sub-technique in the defense-impairment tactic for IaaS. The supplied description emphasizes adversaries with appropriate permissions modifying cloud firewalls or security groups to bypass restrictions, allow access into cloud environments, enable lateral movement from control plane to data plane, or remove networking limits that constrain malicious activity. The relationship set provides two mitigations, one detection strategy, a revoked predecessor technique, and Pacu as related software using the behavior.

ATT&CK does not provide official detection text for this object, and the supplied fields do not specify cloud providers, exact event names, or guaranteed analytics. Local validation is required to determine whether audit logs, configuration history, IAM context, and network telemetry are collected and retained with enough fidelity.

Official MITRE ATT&CK definition

Cloud Firewall

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.

For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1686	Disable or Modify System Firewall	This object subtechnique of Disable or Modify System Firewall.
Enterprise	T1562.007	Disable or Modify Cloud Firewall Sub-technique	Disable or Modify Cloud Firewall revoked by this object.

Associated objects

Groups, software, and campaigns

S1091: Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

IaaS

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1047: Audit Enterprise subtechnique of · Technique T1686: Disable or Modify System Firewall Enterprise uses · Tool S1091: Pacu Enterprise mitigates · Mitigation M1018: User Account Management Enterprise detects · Detection Strategy DET0424: Detection Strategy for Disable or Modify Cloud Firewall Enterprise revoked by · Technique T1562.007: Disable or Modify Cloud Firewall Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 14, 2026, 22:54 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: bfc8b5455899b873...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`bfc8b5455899…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022

Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
Open source URL
[2]
Expel AWS

Anthony Randazzo, Britton Manahan, Sam Lipton. (2020, April 28). Managed Detection & Response for AWS. Retrieved April 15, 2026.
Open source URL
[3]
mitre-attack T1686.001
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams