Last reviewed:
T1686.001 is the subtechnique covering cloud-firewall modification to bypass network controls: opening security groups, modifying network ACLs, disabling cloud-native WAFs. It often appears as a precondition for lateral movement or data exfiltration. DCV maps the full GCP SCC OPEN_*_PORT finding family to T1686.001, covering protocol-by-protocol firewall-bypass exposure across SSH, RDP, MongoDB, Redis, MySQL, Postgres, and beyond. T1686.001 detections must trigger before the next step in the attack chain runs.
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.
Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.
For example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).
Platforms: IaaS.
DCV maps 66 detections across 3 cloud providers to T1686.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 34 | 0.81 |
| GCP Security Command Center | GCP | 23 | 0.81 |
| Azure Policy | Azure | 5 | 0.88 |
| Microsoft Defender for Cloud | Azure | 4 | 0.93 |
CloudSigma has coverage metadata for 66 T1686.001 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1686.001, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1686.001 is the subtechnique covering cloud-firewall modification to bypass network controls: opening security groups, modifying network ACLs, disabling cloud-native WAFs. It often appears as a precondition for lateral movement or data exfiltration. DCV maps the full GCP SCC OPEN_*_PORT finding family to T1686.001, covering protocol-by-protocol firewall-bypass exposure across SSH, RDP, MongoDB, Redis, MySQL, Postgres, and beyond. T1686.001 detections must trigger before the next step in the attack chain runs.
DCV maps 66 cloud-native detections to T1686.001 across 3 cloud providers, drawn from AWS Security Hub, Azure Policy, GCP Security Command Center and Microsoft Defender for Cloud.
T1686.001 is part of MITRE ATT&CK TA0112 Defense Impairment: How adversaries disable or degrade the defences that would have spotted them.
CloudSigma ships 3 validated Sigma rules for T1686.001 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.