{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-firewall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Firewall","version":"https://jsonfeed.org/version/1.1"}