Suspicious Firewall Modification to Allow Network Discovery

This alert detects suspicious use of the netsh command to enable network discovery through the Windows Firewall. Ransomware actors like REvil and RedDot use this technique to discover and compromise additional machines on the network, leading to widespread file encryption. The detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving the netsh command. Attackers modify the firewall to allow network discovery, which aids in lateral movement and identifying valuable targets within the compromised network. This activity is a strong indicator of reconnaissance and preparation for ransomware deployment. The detection specifically looks for netsh commands that enable the “Network Discovery” group with a “Yes” value, highlighting a deliberate attempt to bypass default firewall restrictions for network scanning.

Attack Chain

1. Initial access is gained through an existing vulnerability or compromised credentials.
2. The attacker executes a command shell (e.g., cmd.exe, powershell.exe).
3. The attacker uses the netsh command to modify firewall settings.
4. Specifically, the attacker enables network discovery by setting the “Network Discovery” group to “Yes” in the firewall configuration.
5. The modified firewall settings allow the attacker to perform network scans.
6. The attacker uses network scanning tools (e.g., ping, nbtscan, or custom scripts) to identify vulnerable machines on the network.
7. The attacker moves laterally to these identified machines using exploits or stolen credentials.
8. Finally, the attacker deploys ransomware across multiple hosts, encrypting files and demanding ransom.

Impact

Successful execution of this attack can lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack. This can result in data loss, business disruption, and significant financial costs associated with recovery and ransom payments. Victims may experience downtime, reputational damage, and potential legal repercussions due to data breaches. The impact can extend beyond the initially compromised machine, affecting critical infrastructure and sensitive data stored on other network systems.

Recommendation

• Enable Sysmon process creation logging to capture the command-line details required for detection (Sysmon EventID 1).
• Deploy the Sigma rule Detect Firewall Modification for Network Discovery to your SIEM and tune for your environment.
• Investigate any alerts generated by the rule, focusing on the parent processes and user accounts involved.
• Monitor Windows Event Log Security events with event ID 4688 for process creation events, which can provide additional context for this activity.
• Review and harden firewall configurations to prevent unauthorized modifications.