Skip to content
Threat Feed
medium advisory

Windows Firewall Disabled via Netsh

Attackers use the `netsh.exe` command-line tool to disable or weaken the local Windows firewall, facilitating lateral movement and command and control by bypassing host-based network traffic filtering.

Attackers often disable the Windows Firewall to enable lateral movement and command and control activity within a compromised network. This is typically achieved using the netsh.exe utility, a command-line tool that allows configuration of network settings, including the Windows Firewall. While legitimate administrators may use this tool for troubleshooting or network mobility purposes, its misuse can significantly weaken a system's defenses. This activity has been observed across various environments and affects all Windows systems where Windows Firewall is enabled. Identifying and responding to the disabling of the Windows Firewall is crucial for maintaining network security and preventing further compromise.

Attack Chain

  1. Initial Access: The attacker gains initial access to the system, often through phishing, exploitation of vulnerabilities, or stolen credentials.
  2. Privilege Escalation: The attacker escalates privileges to a level where they can execute administrative commands, such as running netsh.exe.
  3. Defense Evasion: The attacker executes netsh.exe with specific arguments to disable the Windows Firewall or individual firewall rules. Example commands: netsh advfirewall set allprofiles state off or netsh firewall set opmode mode=disable.
  4. Lateral Movement: With the firewall disabled, the attacker can move laterally within the network, accessing other systems and resources without the usual network restrictions.
  5. Command and Control: The disabled firewall allows the attacker to establish command and control channels with external servers, enabling them to send and receive data and execute commands remotely.
  6. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised network to an external location.
  7. Persistence: The attacker establishes persistence mechanisms to maintain access to the compromised network, such as creating new user accounts or installing backdoors.

Impact

Disabling the Windows Firewall can lead to unrestricted network access within the compromised system. This allows attackers to move laterally, compromise additional systems, exfiltrate sensitive data, and establish persistent access. While the number of victims and specific sectors targeted are unknown, the impact can range from data breaches and financial losses to reputational damage and disruption of business operations. Success in this attack enables nearly unfettered access to internal resources, leading to a severe compromise of confidentiality, integrity, and availability.

Recommendation

  • Deploy the provided Sigma rule to detect the execution of netsh.exe with arguments used to disable the firewall (Sigma rule: "Disable Windows Firewall via Netsh").
  • Enable Sysmon process creation logging to capture the execution of netsh.exe with relevant command-line arguments.
  • Investigate any alerts generated by the Sigma rule, focusing on the context of the netsh.exe execution, including the parent process and user account.
  • Implement strict access controls and limit the number of users with administrative privileges to reduce the risk of unauthorized firewall modifications.

Detection coverage 2

Disable Windows Firewall via Netsh

medium

Detects the execution of netsh.exe with arguments to disable or weaken the Windows firewall.

sigma tactics: defense_evasion techniques: T1562.004 sources: process_creation, windows

Netsh Advfirewall Firewall Rule Modification

low

Detects the execution of netsh.exe to modify firewall rules.

sigma tactics: defense_evasion techniques: T1562.004 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →