From 89c49a34b50b4b482fa4e4101793fd641a04348f Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 24 Nov 2021 15:34:12 -0600
Subject: [PATCH] [New Rule] Windows Firewall Disabled (#1565)

* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 2ac19440c282e49c8acf470d84fa56e375599163)
---
 ..._powershell_windows_firewall_disabled.toml | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
new file mode 100644
index 000000000..a8890885c
--- /dev/null
+++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2021/10/15"
+maturity = "production"
+updated_date = "2021/11/24"
+
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network
+constraints, like internet and network lateral communication restrictions.
+"""
+false_positives = [
+    """
+    Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, 
+    user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from
+    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Windows Firewall Disabled via PowerShell"
+references = [
+    "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+    "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+    "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+    "http://woshub.com/manage-windows-firewall-powershell/",
+]
+risk_score = 47
+rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.action == "start" and
+  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
+   process.args : "*Set-NetFirewallProfile*" and
+  (process.args : "*-Enabled*" and process.args : "*False*") and
+  (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*"))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+
+  [[rule.threat.technique.subtechnique]]
+  id = "T1562.004"
+  reference = "https://attack.mitre.org/techniques/T1562/004/"
+  name = "Disable or Modify System Firewall"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+