MITRE ATT&CK · TA0005 Defense Evasion

T1562.007 Impair Defenses: Disable or Modify Cloud Firewall

Detection coverage in DCV across AWS, Azure and GCP for Impair Defenses: Disable or Modify Cloud Firewall, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.

01 What is T1562.007?

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. It may also be used to open up resources for Brute Force or Endpoint Denial of Service.

Platforms: IaaS.

02 Coverage in DCV

DCV maps 66 detections across 3 cloud providers to T1562.007. Coverage by source:

Source Cloud Findings mapped Avg confidence
AWS Security Hub AWS 34 0.81
GCP Security Command Center GCP 23 0.81
Azure Policy Azure 5 0.88
Microsoft Defender for Cloud Azure 4 0.93
03 Detect with CloudSigma

CloudSigma ships 3 production-ready Sigma rules that detect T1562.007 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.

Example: AWS Cloud Firewall Modification via Security Group and Network ACL Changes

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:6e539adafd0b93ae manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma 2026-02-06 
title: AWS Cloud Firewall Modification via Security Group and Network ACL Changes
id: 2333505a-ff62-445e-9c29-49a156e80cd6
status: experimental
description: 'Detects deletion or modification of AWS security groups and network ACLs, which may indicate an adversary disabling
  or weakening cloud firewall controls to enable lateral movement or data exfiltration.

  '
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1562/007/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags:
- attack.defense-evasion
- attack.t1562.007
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventSource: ec2.amazonaws.com
    eventName:
    - DeleteSecurityGroup
    - RevokeSecurityGroupIngress
    - RevokeSecurityGroupEgress
    - ModifyNetworkAclEntry
  condition: selection
falsepositives:
- Security group cleanup during infrastructure decommissioning
- Network ACL modifications during planned network restructuring
level: medium
04 Related techniques
← Back to Defense Evasion
Sources
  • MITRE ATT&CK, https://attack.mitre.org/techniques/T1562/007/
  • MITRE Tactic TA0005 Defense Evasion, https://attack.mitre.org/tactics/TA0005/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings (https://center-for-threat-informed-defense.github.io/security-stack-mappings/)
Last verified: 2026-04-24