{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/firewall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OPNsense"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","firewall"],"_cs_type":"advisory","_cs_vendors":["OPNsense"],"content_html":"\u003cp\u003eMultiple unspecified vulnerabilities in OPNsense allow a remote, anonymous attacker to bypass security restrictions and achieve arbitrary code execution. The vulnerabilities stem from inadequate input validation and insufficient privilege checks within the OPNsense firewall software. While the specific vulnerable components are not detailed in the advisory, successful exploitation would grant an attacker complete control over the affected OPNsense instance. This can lead to a complete breach of the network perimeter, allowing the attacker to pivot to internal systems, intercept network traffic, or disrupt network services. Given the critical role of OPNsense as a network gateway, organizations using this software should prioritize detection and mitigation efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OPNsense instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting a specific, undisclosed vulnerable endpoint. This request exploits a flaw in input validation or authentication.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OPNsense component processes the malicious request without proper sanitization or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe injected payload bypasses security restrictions, potentially exploiting a command injection or similar vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected payload executes arbitrary code on the OPNsense system, gaining initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial foothold to escalate privileges within the OPNsense system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, ensuring continued access even after system reboots or security updates.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems within the network, using the compromised OPNsense instance as a launchpad for further attacks, or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary code on the OPNsense firewall. This gives the attacker full control of the firewall, allowing them to intercept network traffic, modify firewall rules, and potentially pivot to internal networks. The impact is a complete compromise of the network perimeter, potentially affecting all systems and data behind the firewall. The number of affected organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor OPNsense webserver logs for suspicious POST requests to unusual or sensitive endpoints, using a webserver category Sigma rule (see example below).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (NIDS) rules to detect exploitation attempts against OPNsense services.\u003c/li\u003e\n\u003cli\u003eWhile specific CVEs are unavailable, stay informed about OPNsense security updates and apply them immediately upon release.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:09:07Z","date_published":"2026-05-04T11:09:07Z","id":"/briefs/2026-05-opnsense-rce/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in OPNsense to bypass security measures and execute arbitrary code, potentially leading to complete system compromise.","title":"OPNsense Multiple Vulnerabilities Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-opnsense-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-0204"},{"cvss":6.8,"id":"CVE-2026-0205"},{"cvss":4.9,"id":"CVE-2026-0206"}],"_cs_exploited":false,"_cs_products":["SOHOW","TZ 300","TZ 300W","TZ 400","TZ 400W","TZ 500","TZ 500W","TZ 600","NSA 2650","NSA 3600","NSA 3650","NSA 4600","NSA 4650","NSA 5600","NSA 5650","NSA 6600","NSA 6650","SM 9200","SM 9250","SM 9400","SM 9450","SM 9600","SM 9650","TZ 300P","TZ 600P","SOHO 250","SOHO 250W","TZ 350","TZ 350W","TZ270","TZ270W","TZ370","TZ370W","TZ470","TZ470W","TZ570","TZ570W","TZ570P","TZ670","NSa 2700","NSa 3700","NSa 4700","NSa 5700","NSa 6700","NSsp 10700","NSsp 11700","NSsp 13700","NSsp 15700","NSv 270","NSv 470","NSv 870","NSv870 sous ESX","NSv870 sous KVM","NSv870 sous HYPER-V","NSv870 sous AWS","NSv870 sous Azure","TZ80","TZ280","TZ380","TZ480","TZ580","TZ680","NSa 2800","NSa 3800","NSa 4800","NSa 5800"],"_cs_severities":["medium"],"_cs_tags":["sonicwall","firewall","dos","security_bypass"],"_cs_type":"advisory","_cs_vendors":["SonicWall"],"content_html":"\u003cp\u003eOn April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities affecting various SonicWall firewall products. These vulnerabilities, detailed in SonicWall security bulletin SNWLID-2026-0004, could allow an unauthenticated remote attacker to trigger a denial-of-service condition or bypass security policies. The affected products include a wide range of SonicWall firewalls across multiple generations (Gen 6, Gen 7, and Gen 8), as well as NSv virtual firewalls deployed in ESX, KVM, Hyper-V, AWS, and Azure environments. Successful exploitation of these vulnerabilities could lead to significant disruption of network services and a compromise of security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable SonicWall firewall exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted network packet to the firewall. This packet exploits one of the vulnerabilities (CVE-2026-0204, CVE-2026-0205, or CVE-2026-0206).\u003c/li\u003e\n\u003cli\u003eIf the attacker exploits a DoS vulnerability, the firewall\u0026rsquo;s CPU and memory resources are consumed, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate network traffic is disrupted due to the firewall\u0026rsquo;s degraded performance or complete failure.\u003c/li\u003e\n\u003cli\u003eIf the attacker exploits a security policy bypass vulnerability, they can potentially gain unauthorized access to internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to move laterally within the network, exploiting additional vulnerabilities in other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to a complete denial of service, disrupting network connectivity for affected organizations. A security policy bypass could also allow unauthorized access to sensitive internal resources. The number of potential victims is significant, given the widespread use of SonicWall firewalls across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches outlined in SonicWall security bulletin SNWLID-2026-0004 to all affected SonicWall firewalls immediately.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting SonicWall firewalls.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to your SIEM to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict network segmentation policies to limit the impact of a potential security policy bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-sonicwall-vulns/","summary":"Multiple vulnerabilities in SonicWall firewalls could allow an attacker to cause a remote denial of service and security policy bypass, potentially disrupting network services and compromising security controls.","title":"Multiple Vulnerabilities in SonicWall Products Allow for DoS and Security Policy Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-sonicwall-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ransomware","firewall","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Interlock ransomware campaign specifically targets enterprise firewalls. The campaign\u0026rsquo;s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall\u0026rsquo;s management interface or VPN services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirewall Compromise:\u003c/strong\u003e The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like \u003ccode\u003essh\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e may be used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Encryption:\u003c/strong\u003e The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e After encryption, the attacker delivers a ransom note demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Possible):\u003c/strong\u003e Depending on the attacker\u0026rsquo;s goals, data exfiltration may occur prior to encryption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly patch and update firewall firmware to address known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:33:30Z","date_published":"2026-03-19T05:33:30Z","id":"/briefs/2024-01-interlock-firewall-ransomware/","summary":"The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.","title":"Interlock Ransomware Campaign Targeting Enterprise Firewalls","url":"https://feed.craftedsignal.io/briefs/2024-01-interlock-firewall-ransomware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Firewall"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe modification or deletion of Azure Firewall rule collections (Application, NAT, and Network) can indicate malicious activity within an Azure environment. Threat actors may target these rules to bypass security controls, allowing unauthorized network traffic, enabling data exfiltration, or facilitating lateral movement. Monitoring these changes is crucial for maintaining the integrity of network security policies and detecting potential breaches. This activity directly impacts an organization\u0026rsquo;s ability to enforce its security posture, potentially exposing sensitive resources to unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure Firewall resources to identify rule collections (Application, NAT, and Network) that can be modified or deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker uses valid Azure credentials or exploits a misconfiguration to authenticate to the Azure Resource Manager API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify the target rule collection, potentially altering allowed ports, IP addresses, or protocols.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a request to delete an entire rule collection, effectively disabling its associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the request to the Azure Resource Manager API, executing the change to the firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe modified or deleted rule collection now allows unauthorized traffic to bypass the firewall, potentially enabling lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly opened network paths to achieve their final objective, such as deploying ransomware or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure Firewall rule collections can have significant consequences. Unauthorized traffic could bypass security controls, enabling data exfiltration, lateral movement, or the deployment of malware. This could lead to data breaches, service disruptions, and financial losses. The impact depends on the scope of the modified or deleted rule collection and the resources it protects.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Firewall Rule Collection Modified or Deleted\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to firewall configurations.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for any events matching the \u003ccode\u003eoperationName\u003c/code\u003e values specified in the Sigma rule to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with permissions to manage firewall resources, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure role-based access control (RBAC) assignments to ensure the principle of least privilege is followed and that only authorized users have permissions to modify firewall configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-azure-firewall-rule-collection-modification/","summary":"An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.","title":"Azure Firewall Rule Collection Modification or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-rule-collection-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies potentially malicious modifications or deletions of Azure firewalls. Azure firewalls are critical components for network security, controlling inbound and outbound traffic based on defined rules. An attacker who gains sufficient privileges within an Azure environment may attempt to disable or modify these firewalls to facilitate lateral movement, data exfiltration, or other malicious activities. This activity is particularly concerning as it represents a direct attempt to weaken the victim\u0026rsquo;s security posture. The activity is detected via Azure Activity Logs. While legitimate administrative actions can trigger this alert, any unexpected or unauthorized changes to firewall configurations should be investigated promptly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to an Azure environment, possibly through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the Azure subscription to gain permissions to manage network resources, including firewalls.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Azure firewalls in the target environment using Azure Resource Manager APIs or the Azure portal.\u003c/li\u003e\n\u003cli\u003eAttacker modifies firewall rules to allow unauthorized traffic, such as opening ports for command and control communication or disabling security rules. This is achieved via the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/WRITE\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker deletes the Azure firewall using the \u003ccode\u003eMICROSOFT.NETWORK/AZUREFIREWALLS/DELETE\u003c/code\u003e operation, effectively removing network protections.\u003c/li\u003e\n\u003cli\u003eAttacker validates that their changes have been successfully applied by testing network connectivity or by reviewing the firewall configuration.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious activities such as lateral movement, data exfiltration, or deploying additional resources without firewall restrictions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure firewalls can have severe consequences. An attacker can bypass network security controls, leading to data breaches, unauthorized access to sensitive resources, and the potential for widespread disruption. This can result in financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized firewall modifications or deletions in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on unfamiliar user identities and user agents.\u003c/li\u003e\n\u003cli\u003eReview Azure RBAC roles and permissions to ensure the principle of least privilege is enforced, limiting the ability of users and service principals to modify or delete firewalls.\u003c/li\u003e\n\u003cli\u003eMonitor Azure Activity Logs for other suspicious activities, such as unusual resource deployments or changes to security settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:30:00Z","date_published":"2024-01-03T18:30:00Z","id":"/briefs/2024-01-azure-firewall-modified-or-deleted/","summary":"An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.","title":"Azure Firewall Modification or Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-modified-or-deleted/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly use the \u003ccode\u003enetsh.exe\u003c/code\u003e utility, a command-line scripting tool, to manage network configurations. Abusers leverage \u003ccode\u003enetsh.exe\u003c/code\u003e to disable or modify Windows Firewall rules, a built-in host-based firewall. This manipulation weakens the system\u0026rsquo;s defenses, allowing unauthorized network traffic and enabling lateral movement within the compromised environment. The activity allows for command and control communications and unhindered exploitation of internal resources. Defenders must monitor \u003ccode\u003enetsh.exe\u003c/code\u003e executions for unexpected firewall modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to a level sufficient to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses reconnaissance techniques to identify existing firewall rules.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003enetsh.exe\u003c/code\u003e to disable specific firewall rules, using commands like \u003ccode\u003enetsh advfirewall firewall set rule name=\u0026quot;rule_name\u0026quot; new enable=no\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: Alternatively, the attacker disables the entire firewall using \u003ccode\u003enetsh advfirewall set allprofiles state off\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLateral Movement: With the firewall weakened, the attacker moves laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels, which may now be unimpeded by firewall rules.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Firewall rules can lead to significant security breaches. Attackers can move laterally within the network, compromise additional systems, and exfiltrate sensitive data. The impact can range from data loss and financial damage to reputational harm and legal consequences. The defense evasion enables attackers to establish persistent command and control channels, maintain a long-term presence within the compromised environment and conduct further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor \u003ccode\u003enetsh.exe\u003c/code\u003e executions and related command-line arguments to support detections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect attempts to disable Windows Firewall rules via \u003ccode\u003enetsh.exe\u003c/code\u003e. Tune the rules for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on identifying the user account, process execution chain, and the specific firewall rules being modified.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit the number of users with the privileges necessary to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit firewall configurations to ensure they are properly configured and have not been tampered with.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-disable-windows-firewall-rules/","summary":"Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.","title":"Windows Firewall Disabled via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-windows-firewall-rules/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","netsh","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where the \u003ccode\u003enetsh.exe\u003c/code\u003e utility is used to query firewall configurations on a Windows system. While \u003ccode\u003enetsh.exe\u003c/code\u003e is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific commands to enumerate firewall rules and configurations (e.g., \u003ccode\u003enetsh firewall show state\u003c/code\u003e, \u003ccode\u003enetsh firewall show config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e process retrieves the requested firewall information from the Windows operating system.\u003c/li\u003e\n\u003cli\u003eThe collected firewall information is parsed to identify potential weaknesses or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network\u0026rsquo;s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Netsh Firewall Discovery\u003c/code\u003e to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to query firewall settings, especially when initiated from unusual processes or user accounts.\u003c/li\u003e\n\u003cli\u003eMonitor parent-child process relationships to identify suspicious process spawning, as highlighted by the \u003ccode\u003eProcesses.parent_process_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-firewall-discovery/","summary":"The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.","title":"Windows Netsh Tool Used for Firewall Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","CrowdStrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eAttackers can leverage the \u003ccode\u003enetsh.exe\u003c/code\u003e utility to modify Windows Firewall settings, specifically enabling Network Discovery. This setting allows a host to broadcast its presence and services, making it easier for attackers to identify potential targets within the network for lateral movement. The behavior is often a post-exploitation technique to weaken host-based defenses after gaining initial access. The modification uses netsh.exe, a command-line scripting utility for managing network configurations. This activity can be easily scripted and automated, making it a common step in reconnaissance and lateral movement playbooks. Defenders should monitor for unauthorized use of \u003ccode\u003enetsh.exe\u003c/code\u003e to modify firewall settings.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Windows host.\u003c/li\u003e\n\u003cli\u003eAttacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e is used to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe specific command executed enables Network Discovery using the \u003ccode\u003enetsh advfirewall firewall set rule group=\u0026quot;Network Discovery\u0026quot; new enable=Yes\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe firewall rule group \u0026ldquo;Network Discovery\u0026rdquo; is modified to allow inbound and outbound traffic.\u003c/li\u003e\n\u003cli\u003eThe compromised host begins sending out broadcast messages, advertising its presence and services on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information gathered to identify other vulnerable systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems based on the discovery information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to easily enumerate and identify other vulnerable systems within the network. This can lead to rapid lateral movement, further compromising the environment. The risk is heightened when the compromised host has access to sensitive data or critical systems. There is no specific victim count or sector targeted mentioned in the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enable Host Network Discovery via Netsh\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to enable network discovery (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable Windows Firewall logging and monitor for changes to firewall rules, specifically those related to Network Discovery.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel and systems only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-enable-network-discovery/","summary":"Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.","title":"Windows Host Network Discovery Enabled via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-enable-network-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","CrowdStrike","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","firewall","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.\u003c/li\u003e\n\u003cli\u003eDisable Firewall Profile: The attacker uses the \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e cmdlet with parameters such as \u003ccode\u003e-Enabled False\u003c/code\u003e to disable the firewall for all, public, domain, or private profiles.\u003c/li\u003e\n\u003cli\u003eNetwork Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the use of \u003ccode\u003eSet-NetFirewallProfile\u003c/code\u003e with the \u003ccode\u003e-Enabled False\u003c/code\u003e parameter (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-firewall-disable/","summary":"Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.","title":"Windows Firewall Disabled via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-firewall-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — Firewall","version":"https://jsonfeed.org/version/1.1"}