Windows Firewall Disabled via Netsh
Attackers use the `netsh.exe` command-line tool to disable or weaken the local Windows firewall, facilitating lateral movement and command and control by bypassing host-based network traffic filtering.
Attackers often disable the Windows Firewall to enable lateral movement and command and control activity within a compromised network. This is typically achieved using the netsh.exe utility, a command-line tool that allows configuration of network settings, including the Windows Firewall. While legitimate administrators may use this tool for troubleshooting or network mobility purposes, its misuse can significantly weaken a system's defenses. This activity has been observed across various environments and affects all Windows systems where Windows Firewall is enabled. Identifying and responding to the disabling of the Windows Firewall is crucial for maintaining network security and preventing further compromise.
Attack Chain
- Initial Access: The attacker gains initial access to the system, often through phishing, exploitation of vulnerabilities, or stolen credentials.
- Privilege Escalation: The attacker escalates privileges to a level where they can execute administrative commands, such as running
netsh.exe. - Defense Evasion: The attacker executes
netsh.exewith specific arguments to disable the Windows Firewall or individual firewall rules. Example commands:netsh advfirewall set allprofiles state offornetsh firewall set opmode mode=disable. - Lateral Movement: With the firewall disabled, the attacker can move laterally within the network, accessing other systems and resources without the usual network restrictions.
- Command and Control: The disabled firewall allows the attacker to establish command and control channels with external servers, enabling them to send and receive data and execute commands remotely.
- Data Exfiltration: The attacker exfiltrates sensitive data from the compromised network to an external location.
- Persistence: The attacker establishes persistence mechanisms to maintain access to the compromised network, such as creating new user accounts or installing backdoors.
Impact
Disabling the Windows Firewall can lead to unrestricted network access within the compromised system. This allows attackers to move laterally, compromise additional systems, exfiltrate sensitive data, and establish persistent access. While the number of victims and specific sectors targeted are unknown, the impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Success in this attack enables nearly unfettered access to internal resources, leading to a severe compromise of confidentiality, integrity, and availability.
Recommendation
- Deploy the provided Sigma rule to detect the execution of
netsh.exewith arguments used to disable the firewall (Sigma rule: "Disable Windows Firewall via Netsh"). - Enable Sysmon process creation logging to capture the execution of
netsh.exewith relevant command-line arguments. - Investigate any alerts generated by the Sigma rule, focusing on the context of the
netsh.exeexecution, including the parent process and user account. - Implement strict access controls and limit the number of users with administrative privileges to reduce the risk of unauthorized firewall modifications.
Detection coverage 2
Disable Windows Firewall via Netsh
mediumDetects the execution of netsh.exe with arguments to disable or weaken the Windows firewall.
Netsh Advfirewall Firewall Rule Modification
lowDetects the execution of netsh.exe to modify firewall rules.
Detection queries are available on the platform. Get full rules →