Windows Firewall Disabled via Netsh

Attackers commonly use the netsh.exe utility, a command-line scripting tool, to manage network configurations. Abusers leverage netsh.exe to disable or modify Windows Firewall rules, a built-in host-based firewall. This manipulation weakens the system’s defenses, allowing unauthorized network traffic and enabling lateral movement within the compromised environment. The activity allows for command and control communications and unhindered exploitation of internal resources. Defenders must monitor netsh.exe executions for unexpected firewall modifications.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.
2. Privilege Escalation: The attacker escalates privileges to a level sufficient to modify firewall settings.
3. Discovery: The attacker uses reconnaissance techniques to identify existing firewall rules.
4. Defense Evasion: The attacker uses netsh.exe to disable specific firewall rules, using commands like netsh advfirewall firewall set rule name="rule_name" new enable=no.
5. Defense Evasion: Alternatively, the attacker disables the entire firewall using netsh advfirewall set allprofiles state off.
6. Lateral Movement: With the firewall weakened, the attacker moves laterally to other systems on the network.
7. Command and Control: The attacker establishes command and control channels, which may now be unimpeded by firewall rules.
8. Impact: The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or further compromise of the network.

Impact

Successful disabling of Windows Firewall rules can lead to significant security breaches. Attackers can move laterally within the network, compromise additional systems, and exfiltrate sensitive data. The impact can range from data loss and financial damage to reputational harm and legal consequences. The defense evasion enables attackers to establish persistent command and control channels, maintain a long-term presence within the compromised environment and conduct further malicious activities.

Recommendation

• Enable Sysmon process creation logging to monitor netsh.exe executions and related command-line arguments to support detections.
• Deploy the Sigma rules in this brief to your SIEM to detect attempts to disable Windows Firewall rules via netsh.exe. Tune the rules for your specific environment.
• Investigate any alerts generated by the Sigma rules, focusing on identifying the user account, process execution chain, and the specific firewall rules being modified.
• Implement strict access controls to limit the number of users with the privileges necessary to modify firewall settings.
• Regularly review and audit firewall configurations to ensure they are properly configured and have not been tampered with.