{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/fortiedr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","FortiEDR"],"_cs_severities":["high"],"_cs_tags":["ransomware","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk","Fortinet"],"content_html":"\u003cp\u003eThis alert detects suspicious use of the \u003ccode\u003enetsh\u003c/code\u003e command to enable network discovery through the Windows Firewall. Ransomware actors like REvil and RedDot use this technique to discover and compromise additional machines on the network, leading to widespread file encryption. The detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving the \u003ccode\u003enetsh\u003c/code\u003e command. Attackers modify the firewall to allow network discovery, which aids in lateral movement and identifying valuable targets within the compromised network. This activity is a strong indicator of reconnaissance and preparation for ransomware deployment. The detection specifically looks for \u003ccode\u003enetsh\u003c/code\u003e commands that enable the \u0026ldquo;Network Discovery\u0026rdquo; group with a \u0026ldquo;Yes\u0026rdquo; value, highlighting a deliberate attempt to bypass default firewall restrictions for network scanning.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an existing vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command shell (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003enetsh\u003c/code\u003e command to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker enables network discovery by setting the \u0026ldquo;Network Discovery\u0026rdquo; group to \u0026ldquo;Yes\u0026rdquo; in the firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe modified firewall settings allow the attacker to perform network scans.\u003c/li\u003e\n\u003cli\u003eThe attacker uses network scanning tools (e.g., ping, nbtscan, or custom scripts) to identify vulnerable machines on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to these identified machines using exploits or stolen credentials.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker deploys ransomware across multiple hosts, encrypting files and demanding ransom.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack can lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack. This can result in data loss, business disruption, and significant financial costs associated with recovery and ransom payments. Victims may experience downtime, reputational damage, and potential legal repercussions due to data breaches. The impact can extend beyond the initially compromised machine, affecting critical infrastructure and sensitive data stored on other network systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line details required for detection (Sysmon EventID 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Firewall Modification for Network Discovery\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on the parent processes and user accounts involved.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security events with event ID 4688 for process creation events, which can provide additional context for this activity.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall configurations to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-allow-network-discovery-firewall/","summary":"Detection of 'netsh' command execution to enable network discovery in the firewall, a technique commonly used by ransomware such as REvil and RedDot to discover and compromise additional machines on the network.","title":"Suspicious Firewall Modification to Allow Network Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-03-allow-network-discovery-firewall/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","FortiEDR"],"_cs_severities":["high"],"_cs_tags":["ransomware","lateral-movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk","Fortinet"],"content_html":"\u003cp\u003eThis detection focuses on identifying suspicious modifications to Windows Firewall rules that enable file and printer sharing. Ransomware actors often leverage this technique to propagate across a network, discover valuable data, and encrypt files on multiple systems. By enabling file and printer sharing via \u003ccode\u003enetsh\u003c/code\u003e commands, attackers can bypass default security configurations and gain unauthorized access to network resources. This activity, if successfully executed, significantly increases the blast radius of a ransomware attack, potentially impacting critical business operations and causing significant financial losses. The detection specifically looks for command-line executions that modify firewall settings to allow file and printer sharing, providing an early warning of potential ransomware activity. The references include details about FortiEDR detecting Revil ransomware and an ANY.RUN task related to malicious firewall modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a host within the network through various means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003enetsh\u003c/code\u003e command to modify the Windows Firewall settings.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command specifically targets the \u0026ldquo;File and Printer Sharing\u0026rdquo; group.\u003c/li\u003e\n\u003cli\u003eThe command enables file and printer sharing, allowing inbound connections on related ports.\u003c/li\u003e\n\u003cli\u003eThe attacker uses file and printer sharing protocols (e.g., SMB) to enumerate network shares.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies accessible file shares on other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using compromised credentials or exploits.\u003c/li\u003e\n\u003cli\u003eUpon successful lateral movement, the attacker deploys ransomware payloads to encrypt data across the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and execution of this technique can lead to widespread file encryption across the network. This can result in significant business disruption, data loss, and financial damage. The scope of impact depends on the size and complexity of the network, but can easily affect hundreds or thousands of systems. Victims may experience data breaches, compliance violations, and reputational damage. Ransomware incidents can cost organizations millions of dollars in recovery efforts, legal fees, and lost revenue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eFirewall Modification for File and Printer Sharing\u003c/code\u003e to your SIEM and tune for your environment to detect the described behavior.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically Sysmon Event ID 1 and Windows Event Log Security 4688, to capture the necessary command-line details.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process name, command-line arguments, user context, and destination host.\u003c/li\u003e\n\u003cli\u003eReview and audit existing firewall rules to identify any unnecessary or overly permissive file and printer sharing configurations.\u003c/li\u003e\n\u003cli\u003eConsider implementing network segmentation to limit the potential impact of lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003enetsh\u003c/code\u003e executions that modify firewall rules (Sysmon Event ID 1)\u003c/li\u003e\n\u003cli\u003eUse the provided references to research additional information regarding detection and mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-file-sharing-firewall/","summary":"This analytic detects the modification of Windows Firewall settings to enable file and printer sharing, a common technique used by ransomware to facilitate lateral movement and broader network encryption.","title":"Firewall Modification for File and Printer Sharing","url":"https://feed.craftedsignal.io/briefs/2024-01-file-sharing-firewall/"}],"language":"en","title":"CraftedSignal Threat Feed — FortiEDR","version":"https://jsonfeed.org/version/1.1"}