Impair Defenses: Disable or Modify System Firewall

Other sub-techniques of Impair Defenses (13)

ID	Name
ATAGS-T1097.001	Triggering the clear mode
ATAGS-T1097.002	Disable or Modify Cloud Firewall
ATAGS-T1097.003	Disable or Modify Cloud Logs
ATAGS-T1097.004	Disable or Modify Linux Audit System
ATAGS-T1097.005	Disable or Modify Network Device Firewall
ATAGS-T1097.006	Disable or Modify System Firewall
ATAGS-T1097.007	Disable or Modify Tools
ATAGS-T1097.008	Disable Windows Event Logging
ATAGS-T1097.009	Downgrade Attack
ATAGS-T1097.010	Impair Command History Logging
ATAGS-T1097.011	Indicator Blocking
ATAGS-T1097.012	Safe Mode Boot
ATAGS-T1097.013	Spoof Security Alerting

Threat Actors may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

ID: ATAGS-T1097.006

Sub-technique of: ATAGS-T1097

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.