T1686.002: Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application).[1]
Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.
Analyst context for executives and security teams
This behavior matters because the firewall policy on routers, switches, and perimeter devices is often a business control, not just a network setting. If an adversary can disable or change network-device firewall rules, they may open paths that were intentionally blocked for command and control, lateral movement, or unrestricted internal access. The practical question for leaders is whether firewall changes are governed, logged, reviewed, and tied to accountable administrative identities.
Executive priority
Prioritize this where network devices protect critical internal segments, internet-facing services, remote access paths, financial systems, or operational environments. The ATT&CK relationships show relevance to network-device malware and campaigns involving energy infrastructure, so resilience depends on proving that administrative access, patching, and audit evidence around firewall policy changes are mature enough for incident response and compliance review.
Technical view
T1686.002 is a defense-impairment sub-technique for Network Devices under Disable or Modify System Firewall. SOC and IR teams should validate whether changes to ACLs, security zones, policy rules, and related network configuration parameters can be attributed to a specific account/session and compared against approved baselines. Because MITRE provides no official detection text, use the related detection strategy DET0306 as direction: detect unauthorized network firewall rule modification, especially after Valid Accounts activity or exploitation of exposed management/public-facing interfaces.
Likely telemetry
- Network device configuration change logs and syslog events
- Administrator authentication, authorization, and session records for network device management interfaces
- Firewall/ACL/security zone/policy rule snapshots and configuration diffs
- Configuration backup history and change-control records
- Network flow or traffic metadata showing newly permitted inbound, outbound, or internal paths
Detection direction
- Baseline approved firewall policies and alert on additions, deletions, disables, or broadening of ACLs, zones, or rules outside expected change windows.
- Correlate policy changes with administrative logins, account privilege changes, and management-interface access source addresses.
- Tune for legitimate network operations activity: maintenance windows and emergency changes can look similar unless tied to authorization evidence.
- Review whether network devices forward sufficient logs to central monitoring; local-only logs are a major blind spot during compromise.
- Use relationship context to include network-device-focused malware and campaign reporting in threat intelligence reviews, without assuming those actors are present locally.
Mitigation priorities
- Start with User Account Management: restrict network-device administrative privileges to required personnel and enforce least privilege for firewall policy modification.
- Implement Audit controls: record and systematically review user behavior, device activity, and configuration state so unauthorized changes can be reconstructed.
- Maintain Update Software processes for network device firmware/software, especially where management or public-facing interfaces may be exposed to known vulnerabilities such as the referenced CVE example.
- Operationalize regular configuration review so firewall rules that allow broad internal access or unrestricted inbound/outbound connectivity are challenged and documented.
Analyst notes and limits
This object replaces the revoked T1562.013 naming and is now modeled as T1686.002 under defense impairment. Supplied relationships include use by C0063, APT38, Grandoreiro, and Cyclops Blink, plus mitigations M1018, M1047, and M1051. The most defensible coverage measure is not a single alert, but the ability to prove who changed network firewall policy, what changed, when it changed, and whether the change was authorized.
MITRE did not provide official detection logic for this object, and the supplied fields do not identify specific products, commands, or guaranteed indicators. Local device models, logging configuration, management-plane exposure, and change-management data are required to determine actual coverage.
Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
Adversaries may obtain access to network device management interfaces via Valid Accounts or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications (Exploit Public-Facing Application).[1]
Adversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1686 | Disable or Modify System Firewall | This object subtechnique of Disable or Modify System Firewall. |
| Enterprise | T1562.013 | Disable or Modify Network Device Firewall Sub-technique | Disable or Modify Network Device Firewall revoked by this object. |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0531: Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]
S0687: Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.[1][2][3]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f47c766c11a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CVE-2024-55591 Detail
NIST NVD. (2025, January 22). Retrieved September 22, 2025.
Open source URL -
[2]
mitre-attack T1686.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.