Find sigma rule
Attack: Impair Defenses: Disable or Modify System Firewall
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. Non-Standard Port).(Citation: change_rdp_port_conti)
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various Remote Services may also indirectly modify firewall rules.
MITRE
Tactic
- defense-evasion
technique
- T1562.004
Test : Open a local port through Windows Firewall to any profile
OS
- windows
Description:
This test will attempt to open a local port defined by input arguments to any profile
Executor
powershell
Sigma Rule
-
proc_creation_win_netsh_fw_allow_rdp.yml (id: 01aeb693-138d-49d2-9403-c4f52d7d3d62)
-
proc_creation_win_netsh_fw_add_rule.yml (id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c)