Windows Firewall Disabled via PowerShell

Attackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like Set-NetFirewallProfile. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.

Attack Chain

1. Initial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.
2. Privilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.
3. PowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.
4. Disable Firewall Profile: The attacker uses the Set-NetFirewallProfile cmdlet with parameters such as -Enabled False to disable the firewall for all, public, domain, or private profiles.
5. Network Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.
6. Lateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.
7. Command and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.
8. Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.

Impact

Successful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect the use of Set-NetFirewallProfile with the -Enabled False parameter (see Sigma rule below).
• Enable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.
• Review and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.
• Consider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.