Techniques
Sample rules
Windows Delete or Modify System Firewall
- source: splunk
- technicques:
- T1562
- T1562.004
Description
This analytic identifies potentially malicious ’netsh’ processes that manipulate firewall configurations. This behavior has been observed in the NJRAT malware, which deletes its added firewall rules as part of its cleanup process. Leveraging this anomaly detection can be a valuable approach for detecting malware, such as NJRAT, that makes alterations to firewall configurations as a component of its malicious activities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* firewall *" Processes.process = "* delete *" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_delete_or_modify_system_firewall_filter`