security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding T1562.004 Test 18 - Blackbit - Disable Windows Firewall using netsh firewall (#2305)

Browse Source 
* Adding T1562.004 Test 18 - Blackbit - Disable Windows Firewall using netsh firewall

Adding T1562.004 Test 18 - Blackbit - Disable Windows Firewall using netsh firewall. Within BlackBit ransomware, one of the commands ran is "netsh firewall set opmode mode=disable". While "netsh firewall" has been deprecated and replaced with "netsh advfirewall", the old command still does work, leading to a vector that adversaries can use for firewall disablement.

* Adding error handling to cleanup
This commit is contained in:
Leo Verlod
2023-01-31 08:45:07 -06:00
committed by GitHub
parent a2ccd19c37
commit fed5ad2204
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.004/T1562.004.yaml
+13 -1
View File
@@ -326,4 +326,16 @@ atomic_tests:
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
name: powershell
elevation_required: true
elevation_required: true
- name: Blackbit - Disable Windows Firewall using netsh firewall
description: |
An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).
supported_platforms:
- windows
executor:
command: |
netsh firewall set opmode mode=disable
cleanup_command: |
netsh firewall set opmode mode=enable >nul 2>&1
name: command_prompt
elevation_required: true