Firewall Modification for File and Printer Sharing

This detection focuses on identifying suspicious modifications to Windows Firewall rules that enable file and printer sharing. Ransomware actors often leverage this technique to propagate across a network, discover valuable data, and encrypt files on multiple systems. By enabling file and printer sharing via netsh commands, attackers can bypass default security configurations and gain unauthorized access to network resources. This activity, if successfully executed, significantly increases the blast radius of a ransomware attack, potentially impacting critical business operations and causing significant financial losses. The detection specifically looks for command-line executions that modify firewall settings to allow file and printer sharing, providing an early warning of potential ransomware activity. The references include details about FortiEDR detecting Revil ransomware and an ANY.RUN task related to malicious firewall modifications.

Attack Chain

1. An attacker gains initial access to a host within the network through various means (e.g., phishing, exploit).
2. The attacker executes a netsh command to modify the Windows Firewall settings.
3. The netsh command specifically targets the “File and Printer Sharing” group.
4. The command enables file and printer sharing, allowing inbound connections on related ports.
5. The attacker uses file and printer sharing protocols (e.g., SMB) to enumerate network shares.
6. The attacker identifies accessible file shares on other systems within the network.
7. The attacker attempts to move laterally to other systems using compromised credentials or exploits.
8. Upon successful lateral movement, the attacker deploys ransomware payloads to encrypt data across the network.

Impact

Successful exploitation and execution of this technique can lead to widespread file encryption across the network. This can result in significant business disruption, data loss, and financial damage. The scope of impact depends on the size and complexity of the network, but can easily affect hundreds or thousands of systems. Victims may experience data breaches, compliance violations, and reputational damage. Ransomware incidents can cost organizations millions of dollars in recovery efforts, legal fees, and lost revenue.

Recommendation

• Deploy the Sigma rule Firewall Modification for File and Printer Sharing to your SIEM and tune for your environment to detect the described behavior.
• Enable process creation logging, specifically Sysmon Event ID 1 and Windows Event Log Security 4688, to capture the necessary command-line details.
• Investigate any alerts generated by the Sigma rule, focusing on the process name, command-line arguments, user context, and destination host.
• Review and audit existing firewall rules to identify any unnecessary or overly permissive file and printer sharing configurations.
• Consider implementing network segmentation to limit the potential impact of lateral movement.
• Monitor for netsh executions that modify firewall rules (Sysmon Event ID 1)
• Use the provided references to research additional information regarding detection and mitigation.