some legitimate administrative tasks or security configurations may create filtering platform policies. verify actions with authorized it personnel before alerting.

Techniques

T1685

Sample rules

Windows Filtering Platform Policy Added to Block EDR Process

source: splunk
technicques:
- T1685

Description

Detects the modification of a Windows Filtering Platform Policy to block the communication of known EDR processes. This can be used by attackers to impair the functionality of these tools and to hide their activities on the machine.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Registry where

Registry.action="modified"
Registry.registry_path="*\\Parameters\\FirewallPolicy\\FirewallRules*"
Registry.registry_value_data="*Action=Block*"
Registry.registry_value_data="*App=*"
Registry.registry_value_data IN (
    "*AmSvc.exe*",
    "*cb.exe*",
    "*CETASvc.exe*",
    "*CNTAoSMgr.exe*",
    "*CrAmTray.exe*",
    "*CrsSvc.exe*",
    "*CybereasonAV.exe*",
    "*CylanceSvc.exe*",
    "*cyserver.exe*",
    "*CyveraService.exe*",
    "*CyvrFsFlt.exe*",
    "*EIConnector.exe*",
    "*ekrn.exe*",
    "*elastic-agent.exe*",
    "*elastic-endpoint.exe*",
    "*EndpointBasecamp.exe*",
    "*ExecutionPreventionSvc.exe*",
    "*filebeat.exe*",
    "*fortiedr.exe*",
    "*hurukai.exe*",
    "*LogProcessorService.exe*",
    "*MsMpEng.exe*",
    "*MsSense.exe*",
    "*Ntrtscan.exe*",
    "*PccNTMon.exe*",
    "*QualysAgent.exe*",
    "*RepMgr.exe*",
    "*RepUtils.exe*",
    "*RepUx.exe*",
    "*RepWAV.exe*",
    "*RepWSC.exe*",
    "*SenseCncProxy.exe*",
    "*SenseIR.exe*",
    "*SenseNdr.exe*",
    "*SenseSampleUploader.exe*",
    "*SentinelAgent.exe*",
    "*SentinelAgentWorker.exe*",
    "*SentinelBrowserNativeHost.exe*",
    "*SentinelHelperService.exe*",
    "*SentinelServiceHost.exe*",
    "*SentinelStaticEngine.exe*",
    "*SentinelStaticEngineScanner.exe*",
    "*sfc.exe*",
    "*TaniumClient.exe*",
    "*TaniumCX.exe*",
    "*TaniumDetectEngine.exe*",
    "*TMBMSRV.exe*",
    "*TmCCSF.exe*",
    "*TmListen.exe*",
    "*TmWSCSvc.exe*",
    "*Traps.exe*",
    "*winlogbeat.exe*",
    "*WSCommunicator.exe*",
    "*xagt.exe*"
)

by Registry.dest Registry.vendor_product Registry.user Registry.status
   Registry.registry_value_name Registry.registry_path Registry.registry_hive
   Registry.registry_value_data Registry.action Registry.process_path
   Registry.process_guid Registry.process_id Registry.registry_key_name


| `drop_dm_object_name(Registry)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_filtering_platform_policy_added_to_block_edr_process_filter`