We meticulously research the strategies most ceaselessly utilized by attackers, and promptly refine or add detection logic to our SIEM system to establish these technics. Particularly, within the replace to the Kaspersky Unified Monitoring and Evaluation Platform launched within the second quarter of 2024, we supplemented and expanded the logic for detecting the strategy of disabling/modifying a neighborhood firewall (Impair Defenses: Disable or Modify System Firewall T1562.004 within the MITRE classification), which ranks among the many prime ways, strategies, and procedures (TTPs) utilized by attackers.
How attackers disable or modify a neighborhood firewall
The T1562.004 approach permits attackers to bypass defenses and achieve the power to hook up with C2 servers over the community or allow an atypical software to have primary community entry.
There are two widespread strategies for modifying or disabling the host firewall: (i) utilizing the netsh utility, or (ii) modifying the Home windows registry settings. Listed below are examples of common command strains utilized by attackers for these functions:
- netsh firewall add allowedprogram
- netsh firewall set opmode mode=disable
- netsh advfirewall set currentprofile state off
- netsh advfirewall set allprofiles state off
Instance of a registry key and worth added by attackers, permitting incoming UDP site visitors for the applying C:Customers<consumer>AppDataLocalTempserver.exe:
Registry_value_name: {20E9A179-7502-465F-99C4-CC85D61E7B23}
Registry_value:’v2.10|Motion=Permit|Energetic=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:
Customers<consumer>AppDataLocalTempserver.exe|Title=server.exe|’}
One other methodology attackers use to disable the Firewall is by stopping the mpssvc service. That is sometimes finished with the web utility internet cease mpssvc.
internet cease mpssvc
How our SIEM answer detects T1562.004
That is achieved utilizing the brand new R240 rule; particularly, by detecting and correlating the next occasions:
- Attacker stopping the native firewall service to bypass its restrictions
- Attacker disabling or modifying the native firewall coverage to bypass it (configuring or disabling the firewall by way of netsh.exe)
- Attacker altering native firewall guidelines by means of the registry to bypass its restrictions (modifying guidelines by means of the Home windows registry)
- Attacker disabling the native firewall by means of the registry
- Attacker manipulating the native firewall by modifying its insurance policies
With its newest replace, the platform now presents greater than 605 guidelines, together with 474 containing direct detection logic. We’ve additionally refined 20 current guidelines by fixing or adjusting their circumstances.
Why we deal with the MITRE classification
MITRE ATT&CK for Enterprise serves because the de facto trade normal guideline for classifying and describing cyberattacks and intrusions, and is made up of 201 strategies, 424 sub-techniques, and hundreds of procedures. Due to this fact, when deciding tips on how to additional develop our SIEM platform — the Kaspersky Unified Monitoring and Evaluation Platform — we rely, amongst different issues, on the MITRE classification.
As per our plan set out in a earlier publish, we’ve began labeling present guidelines in accordance with MITRE assault strategies and ways — aiming to increase the system’s performance and mirror the extent of safety in opposition to identified threats. That is essential as a result of it permits us to construction the detection logic and be certain that the foundations are complete — with no “blind spots”. We additionally depend on MITRE when growing OOTB (out-of-the-box) content material for our SIEM platform. At the moment, our answer covers 309 MITRE ATT&CK strategies and sub-techniques.
Different additions and enhancements to the SIEM system
Along with the detection logic for T1562.004 talked about above, we’ve added normalizers to the Kaspersky Unified Monitoring and Evaluation Platform SIEM system to assist the next occasion sources:
- [OOTB] Microsoft Merchandise, [OOTB] Microsoft Merchandise for Kaspersky Unified Monitoring and Evaluation Platform 3, [OOTB] Microsoft Merchandise by way of KES WIN: normalizers to course of some occasions from the Safety and System logs of the Microsoft Home windows Server working system. The [OOTB] Microsoft Merchandise by way of KES WIN normalizer helps a restricted variety of audit occasion varieties transmitted to KUMA KES WIN 12.6 by means of syslog.
- [OOTB] Excessive Networks Summit Wi-fi Controller: a normalizer for sure audit occasions from the Excessive Networks Summit wi-fi controller (mannequin: WM3700, firmware model: 5.5.5.0-018R).
- [OOTB] Kaspersky Safety for MS Trade SQL: a normalizer for Kaspersky Safety for Trade (KSE) model 9.0 system occasions saved within the database.
- [OOTB] TIONIX VDI file: a normalizer supporting the processing of some TIONIX VDI (model 2.8) system occasions saved within the tionix_lntmov.log file.
- [OOTB] SolarWinds Dameware MRC xml: a normalizer supporting the processing of some Dameware Mini Distant Management (MRC) model 7.5 system occasions saved within the Home windows Software log. The normalizer processes occasions created by the “dwmrcs” supplier.
- [OOTB] H3C Routers syslog: a normalizer for sure sorts of occasions coming from H3C (Huawei-3Com) SR6600 community gadgets (Comware 7 firmware) by means of syslog. The normalizer helps the “normal” occasion format (RFC 3164-compliant format).
- [OOTB] Cisco WLC syslog: a normalizer for sure sorts of occasions coming from Cisco WLC community gadgets (2500 Collection Wi-fi Controllers, 5500 Collection Wi-fi Controllers, 8500 Collection Wi-fi Controllers, Flex 7500 Collection Wi-fi Controllers) by means of syslog.
- [OOTB] Huawei iManager 2000 file: a normalizer supporting the processing of among the Huawei iManager 2000 system occasions saved in clientlogsrpc and clientlogsdeployossDeployment recordsdata.
Our consultants have additionally refined the next normalizers:
- For Microsoft merchandise: the redesigned Home windows normalizer is now publicly obtainable.
- For the PT NAD system: a brand new normalizer has been developed for PT NAD variations 11.1, 11.0.
- For UNIX-like working methods: extra occasion varieties at the moment are supported.
- For Test Level: enhancements to the normalizer supporting Test Level R81.
- For the Citrix NetScaler system: extra occasions from Citrix ADC 5550 — NS13.0 at the moment are supported.
- For FreeIPA: the redesigned normalizer is now publicly obtainable.
In whole, we now assist round 250 sources, and we maintain increasing this listing whereas enhancing the standard of every connector. The complete listing of supported occasion sources within the Kaspersky Unified Monitoring and Evaluation Platform — model 3.2, will be discovered within the technical assist part. Data on out-of-the-box correlation guidelines can also be obtainable there.
