From fed5ad2204fd17952e03ede41e727ceefaa47ba2 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Tue, 31 Jan 2023 08:45:07 -0600
Subject: [PATCH] Adding T1562.004 Test 18 - Blackbit - Disable Windows
 Firewall using netsh firewall (#2305)

* Adding T1562.004 Test 18 - Blackbit - Disable Windows Firewall using netsh firewall

Adding T1562.004 Test 18 - Blackbit - Disable Windows Firewall using netsh firewall. Within BlackBit ransomware, one of the commands ran is "netsh firewall set opmode mode=disable". While "netsh firewall" has been deprecated and replaced with "netsh advfirewall", the old command still does work, leading to a vector that adversaries can use for firewall disablement.

* Adding error handling to cleanup
---
 atomics/T1562.004/T1562.004.yaml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 79fbd693..4054270f 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -326,4 +326,16 @@ atomic_tests:
        Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"  -Name EnableFirewall -Force -ErrorAction Ignore
        Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore
     name: powershell
-    elevation_required: true 
\ No newline at end of file
+    elevation_required: true
+- name: Blackbit - Disable Windows Firewall using netsh firewall
+  description: |
+     An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works).     
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      netsh firewall set opmode mode=disable
+    cleanup_command: |
+      netsh firewall set opmode mode=enable >nul 2>&1
+    name: command_prompt
+    elevation_required: true