https://feed.craftedsignal.io/products/fortiedr/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-allow-network-discovery-firewall/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-allow-network-discovery-firewall/Detection of 'netsh' command execution to enable network discovery in the firewall, a technique commonly used by ransomware such as REvil and RedDot to discover and compromise additional machines on the network.This alert detects suspicious use of the netsh command to enable network discovery through the Windows Firewall. Ransomware actors like REvil and RedDot use this technique to discover and compromise additional machines on the network, leading to widespread file encryption. The detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving the netsh command. Attackers modify the firewall to allow network discovery, which aids in lateral movement and identifying valuable targets within the compromised network. This activity is a strong indicator of reconnaissance and preparation for ransomware deployment. The detection specifically looks for netsh commands that enable the “Network Discovery” group with a “Yes” value, highlighting a deliberate attempt to bypass default firewall restrictions for network scanning.

Attack Chain

1. Initial access is gained through an existing vulnerability or compromised credentials.
2. The attacker executes a command shell (e.g., cmd.exe, powershell.exe).
3. The attacker uses the netsh command to modify firewall settings.
4. Specifically, the attacker enables network discovery by setting the “Network Discovery” group to “Yes” in the firewall configuration.
5. The modified firewall settings allow the attacker to perform network scans.
6. The attacker uses network scanning tools (e.g., ping, nbtscan, or custom scripts) to identify vulnerable machines on the network.
7. The attacker moves laterally to these identified machines using exploits or stolen credentials.
8. Finally, the attacker deploys ransomware across multiple hosts, encrypting files and demanding ransom.

Impact

Successful execution of this attack can lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack. This can result in data loss, business disruption, and significant financial costs associated with recovery and ransom payments. Victims may experience downtime, reputational damage, and potential legal repercussions due to data breaches. The impact can extend beyond the initially compromised machine, affecting critical infrastructure and sensitive data stored on other network systems.

Recommendation

• Enable Sysmon process creation logging to capture the command-line details required for detection (Sysmon EventID 1).
• Deploy the Sigma rule Detect Firewall Modification for Network Discovery to your SIEM and tune for your environment.
• Investigate any alerts generated by the rule, focusing on the parent processes and user accounts involved.
• Monitor Windows Event Log Security events with event ID 4688 for process creation events, which can provide additional context for this activity.
• Review and harden firewall configurations to prevent unauthorized modifications.

]]>highadvisoryransomwarelateral-movementwindowshttps://feed.craftedsignal.io/briefs/2024-01-file-sharing-firewall/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-file-sharing-firewall/This analytic detects the modification of Windows Firewall settings to enable file and printer sharing, a common technique used by ransomware to facilitate lateral movement and broader network encryption.This detection focuses on identifying suspicious modifications to Windows Firewall rules that enable file and printer sharing. Ransomware actors often leverage this technique to propagate across a network, discover valuable data, and encrypt files on multiple systems. By enabling file and printer sharing via netsh commands, attackers can bypass default security configurations and gain unauthorized access to network resources. This activity, if successfully executed, significantly increases the blast radius of a ransomware attack, potentially impacting critical business operations and causing significant financial losses. The detection specifically looks for command-line executions that modify firewall settings to allow file and printer sharing, providing an early warning of potential ransomware activity. The references include details about FortiEDR detecting Revil ransomware and an ANY.RUN task related to malicious firewall modifications.

Attack Chain

1. An attacker gains initial access to a host within the network through various means (e.g., phishing, exploit).
2. The attacker executes a netsh command to modify the Windows Firewall settings.
3. The netsh command specifically targets the “File and Printer Sharing” group.
4. The command enables file and printer sharing, allowing inbound connections on related ports.
5. The attacker uses file and printer sharing protocols (e.g., SMB) to enumerate network shares.
6. The attacker identifies accessible file shares on other systems within the network.
7. The attacker attempts to move laterally to other systems using compromised credentials or exploits.
8. Upon successful lateral movement, the attacker deploys ransomware payloads to encrypt data across the network.

Impact

Successful exploitation and execution of this technique can lead to widespread file encryption across the network. This can result in significant business disruption, data loss, and financial damage. The scope of impact depends on the size and complexity of the network, but can easily affect hundreds or thousands of systems. Victims may experience data breaches, compliance violations, and reputational damage. Ransomware incidents can cost organizations millions of dollars in recovery efforts, legal fees, and lost revenue.

Recommendation

• Deploy the Sigma rule Firewall Modification for File and Printer Sharing to your SIEM and tune for your environment to detect the described behavior.
• Enable process creation logging, specifically Sysmon Event ID 1 and Windows Event Log Security 4688, to capture the necessary command-line details.
• Investigate any alerts generated by the Sigma rule, focusing on the process name, command-line arguments, user context, and destination host.
• Review and audit existing firewall rules to identify any unnecessary or overly permissive file and printer sharing configurations.
• Consider implementing network segmentation to limit the potential impact of lateral movement.
• Monitor for netsh executions that modify firewall rules (Sysmon Event ID 1)
• Use the provided references to research additional information regarding detection and mitigation.

]]>highadvisoryransomwarelateral-movementwindows