admin may disable firewall during testing or fixing network problem.

t1562
t1562.001
endpoint
splunk

Techniques

T1562
T1562.001

Sample rules

Disabling Firewall with Netsh

source: splunk
technicques:
- T1562.001
- T1562

Description

This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process= "*firewall*" (Processes.process= "*off*" OR  Processes.process= "*disable*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disabling_firewall_with_netsh_filter`