Detect Windows Allow Firewall Rule AdditionModification

Back


Id	056593d4-ca3b-47a7-be9d-d1d0884a1d36
Rulename	Detect Windows Allow Firewall Rule Addition/Modification
Description	This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	CiscoSecureEndpoint CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne TrendMicroApexOne TrendMicroApexOneAma VMwareCarbonBlack
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml
Version	1.0.0
Arm template	056593d4-ca3b-47a7-be9d-d1d0884a1d36.json

KQL

// List of Windows Firewall registry keys to monitor
let firewallRegistryList = dynamic([
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System',
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System',
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules',
      'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall'
  ]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') 
| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')
| project
    TimeGenerated,
    DvcHostname,
    ActorUsername,
    ActorUsernameType,
    ActingProcessId,
    ActingProcessName,
    ActingProcessCommandLine,
    RegistryKey,
    RegistryValue,
    RegistryValueType,
    RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))

YAML

triggerOperator: gt
queryFrequency: 1h
description: |
    This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.
alertDetailsOverride:
  alertDescriptionFormat: An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} by {{Username}}.
  alertDisplayNameFormat: Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne_CL
- connectorId: VMwareCarbonBlack
  dataTypes:
  - CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
version: 1.0.0
eventGroupingSettings:
  aggregationKind: singleAlert
queryPeriod: 1h
name: Detect Windows Allow Firewall Rule Addition/Modification
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml
id: 056593d4-ca3b-47a7-be9d-d1d0884a1d36
tags:
- Schema: _ASim_RegistryEvent
  SchemaVersion: 0.1.2
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: Username
  - identifier: UPNSuffix
    columnName: UPNSuffix
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: ProcessId
    columnName: ActingProcessId
  - identifier: CommandLine
    columnName: ActingProcessCommandLine
  entityType: Process
- fieldMappings:
  - identifier: Hive
    columnName: RegHive
  - identifier: Key
    columnName: RegKey
  entityType: RegistryKey
- fieldMappings:
  - identifier: Name
    columnName: RegistryValue
  - identifier: Value
    columnName: RegistryValueData
  - identifier: ValueType
    columnName: RegistryValueType
  entityType: RegistryValue
query: |
  // List of Windows Firewall registry keys to monitor
  let firewallRegistryList = dynamic([
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System',
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System',
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules',
        'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall'
    ]);
  _ASim_RegistryEvent
  | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') 
  | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')
  | project
      TimeGenerated,
      DvcHostname,
      ActorUsername,
      ActorUsernameType,
      ActingProcessId,
      ActingProcessName,
      ActingProcessCommandLine,
      RegistryKey,
      RegistryValue,
      RegistryValueType,
      RegistryValueData
  | extend HostName = tostring(split(DvcHostname, '.')[0])
  | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
  | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
  | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
  | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
  | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/056593d4-ca3b-47a7-be9d-d1d0884a1d36')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/056593d4-ca3b-47a7-be9d-d1d0884a1d36')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} by {{Username}}.",
          "alertDisplayNameFormat": "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}"
        },
        "alertRuleTemplateName": "056593d4-ca3b-47a7-be9d-d1d0884a1d36",
        "customDetails": null,
        "description": "This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.\n",
        "displayName": "Detect Windows Allow Firewall Rule Addition/Modification",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ActingProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "ActingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          },
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "RegHive",
                "identifier": "Hive"
              },
              {
                "columnName": "RegKey",
                "identifier": "Key"
              }
            ]
          },
          {
            "entityType": "RegistryValue",
            "fieldMappings": [
              {
                "columnName": "RegistryValue",
                "identifier": "Name"
              },
              {
                "columnName": "RegistryValueData",
                "identifier": "Value"
              },
              {
                "columnName": "RegistryValueType",
                "identifier": "ValueType"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "singleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml",
        "query": "// List of Windows Firewall registry keys to monitor\nlet firewallRegistryList = dynamic([\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\n      'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\n  ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \n| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\n| project\n    TimeGenerated,\n    DvcHostname,\n    ActorUsername,\n    ActorUsernameType,\n    ActingProcessId,\n    ActingProcessName,\n    ActingProcessCommandLine,\n    RegistryKey,\n    RegistryValue,\n    RegistryValueType,\n    RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          {
            "Schema": "_ASim_RegistryEvent",
            "SchemaVersion": "0.1.2"
          }
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}