Jonhnathan
1484c20795
* [Security Content] 8.3 Add Investigation Guides - 3
* bump date
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
(cherry picked from commit 27f5c2e695)
108 lines
4.9 KiB
TOML
108 lines
4.9 KiB
TOML
[metadata]
|
|
creation_date = "2021/10/15"
|
|
maturity = "production"
|
|
updated_date = "2022/05/23"
|
|
|
|
[rule]
|
|
author = ["Austin Songer"]
|
|
description = """
|
|
Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network
|
|
constraints, like internet and network lateral communication restrictions.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or
|
|
hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be
|
|
investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
""",
|
|
]
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Windows Firewall Disabled via PowerShell"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Windows Firewall Disabled via PowerShell
|
|
|
|
Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a
|
|
device and blocks unauthorized network traffic flowing into or out of the local device.
|
|
|
|
Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.
|
|
|
|
This rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile`
|
|
PowerShell cmdlet.
|
|
|
|
#### Possible investigation steps
|
|
|
|
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
|
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
|
- Identify the user account that performed the action and whether it should perform this kind of action.
|
|
- Contact the account owner and confirm whether they are aware of this activity.
|
|
- Investigate other alerts associated with the user/host during the past 48 hours.
|
|
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
|
|
|
### False positive analysis
|
|
|
|
- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing
|
|
troubleshooting.
|
|
- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.
|
|
|
|
### Response and remediation
|
|
|
|
- Initiate the incident response process based on the outcome of the triage.
|
|
- Isolate the involved hosts to prevent further post-compromise behavior.
|
|
- Re-enable the firewall with its desired configurations.
|
|
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
|
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
|
systems, and web services.
|
|
- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
|
|
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
|
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
|
mean time to respond (MTTR).
|
|
|
|
## Config
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
|
"""
|
|
references = [
|
|
"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
|
|
"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
|
|
"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
|
|
"http://woshub.com/manage-windows-firewall-powershell/",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where event.action == "start" and
|
|
(process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
|
|
process.args : "*Set-NetFirewallProfile*" and
|
|
(process.args : "*-Enabled*" and process.args : "*False*") and
|
|
(process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*"))
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1562"
|
|
name = "Impair Defenses"
|
|
reference = "https://attack.mitre.org/techniques/T1562/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1562.004"
|
|
name = "Disable or Modify System Firewall"
|
|
reference = "https://attack.mitre.org/techniques/T1562/004/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|