Potential Evasion via Windows Filtering Platform

Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/15"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint
13security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Evasion via Windows Filtering Platform"
20references = [
21    "https://github.com/dsnezhkov/shutter/tree/main",
22    "https://github.com/netero1010/EDRSilencer/tree/main",
23    "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/",
24    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157",
25    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152",
26]
27risk_score = 47
28rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc"
29setup = """## Setup
30
31The 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).
32Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Filtering Platform Connection (Success,Failure)

  1"""
  2severity = "medium"
  3tags = [
  4    "Domain: Endpoint",
  5    "OS: Windows",
  6    "Use Case: Threat Detection",
  7    "Tactic: Defense Evasion",
  8    "Data Source: Elastic Defend",
  9    "Data Source: System",
 10    "Resources: Investigation Guide",
 11]
 12type = "eql"
 13
 14query = '''
 15sequence by winlog.computer_name with maxspan=1m
 16 [network where host.os.type == "windows" and
 17  event.action : ("windows-firewall-packet-block", "windows-firewall-packet-drop") and
 18  process.name : (
 19        "bdagent.exe", "bdreinit.exe", "pdscan.exe", "pdiface.exe", "BDSubWiz.exe", "ProductAgentService.exe",
 20        "ProductAgentUI.exe", "WatchDog.exe", "CarbonBlackClientSetup.exe", "TrGUI.exe", "TracCAPI.exe", "cpmsi_tool.exe",
 21        "trac.exe", "vna_install64.exe", "vna_utils.exe", "TracSrvWrapper.exe", "vsmon.exe", "p95tray.exe",
 22        "CybereasonRansomFreeServiceHost.exe", "CrAmTray.exe", "minionhost.exe", "CybereasonSensor.exe", "CylanceUI.exe",
 23        "CylanceProtectSetup.exe", "cylancesvc.exe", "cyupdate.exe", "elastic-agent.exe", "elastic-endpoint.exe",
 24        "egui.exe", "minodlogin.exe", "emu-rep.exe", "emu_install.exe", "emu-cci.exe", "emu-gui.exe", "emu-uninstall.exe",
 25        "ndep.exe", "spike.exe", "ecls.exe", "ecmd.exe", "ecomserver.exe", "eeclnt.exe", "eh64.exe", "EHttpSrv.exe",
 26        "xagt.exe", "collectoragent.exe", "FSAEConfig.exe", "uninstalldcagent.exe", "rmon.exe", "fccomint.exe",
 27        "fclanguageselector.exe", "fortifw.exe", "fcreg.exe", "fortitray.exe", "fcappdb.exe", "fcwizard.exe", "submitv.exe",
 28        "av_task.exe", "fortiwf.exe", "fortiwadbd.exe", "fcauth.exe", "fcdblog.exe", "fcmgr.exe", "fortiwad.exe",
 29        "fortiproxy.exe", "fortiscand.exe", "fortivpnst.exe", "ipsec.exe", "fcwscd7.exe", "fcasc.exe", "fchelper.exe",
 30        "forticlient.exe","fcwsc.exe", "FortiClient.exe", "fmon.exe", "FSSOMA.exe", "FCVbltScan.exe", "FortiESNAC.exe",
 31        "EPCUserAvatar.exe", "FortiAvatar.exe", "FortiClient_Diagnostic_Tool.exe", "FortiSSLVPNdaemon.exe", "avp.exe",
 32        "FCConfig.exe", "avpsus.exe", "klnagent.exe", "klnsacwsrv.exe", "kl_platf.exe", "stpass.exe", "klnagwds.exe",
 33        "mbae.exe", "mbae64.exe", "mbae-svc.exe", "mbae-uninstaller.exe", "mbaeLoader32.exe", "mbaeloader64.exe",
 34        "mbam-dor.exe", "mbamgui.exe", "mbamservice.exe", "mbamtrayctrl.exe", "mbampt.exe", "mbamscheduler.exe",
 35        "Coreinst.exe", "mbae-setup.exe", "mcupdate.exe", "ProtectedModuleHost.exe", "ESConfigTool.exe", "FWInstCheck.exe",
 36        "FwWindowsFirewallHandler.exe", "mfeesp.exe", "mfefw.exe", "mfeProvisionModeUtility.exe", "mfetp.exe", "avpui.exe",
 37        "WscAVExe.exe", "mcshield.exe", "McChHost.exe", "mfewc.exe", "mfewch.exe", "mfewcui.exe", "fwinfo.exe",
 38        "mfecanary.exe", "mfefire.exe", "mfehidin.exe", "mfemms.exe", "mfevtps.exe", "mmsinfo.exe", "vtpinfo.exe",
 39        "MarSetup.exe", "mctray.exe", "masvc.exe", "macmnsvc.exe", "McAPExe.exe", "McPvTray.exe", "mcods.exe",
 40        "mcuicnt.exe", "mcuihost.exe", "xtray.exe", "McpService.exe", "epefprtrainer.exe", "mfeffcoreservice.exe",
 41        "MfeEpeSvc.exe", "qualysagent.exe", "QualysProxy.exe", "QualysAgentUI.exe", "SVRTgui.exe", "SVRTcli.exe",
 42        "SVRTcli.exe", "SVRTgui.exe", "SCTCleanupService.exe", "SVRTservice.exe", "native.exe", "SCTBootTasks.exe",
 43        "ALMon.exe", "SAA.exe", "SUMService.exe", "ssp.exe", "SCFService.exe", "SCFManager.exe", "spa.exe", "cabarc.exe",
 44        "sargui.exe", "sntpservice.exe", "McsClient.exe", "McsAgent.exe", "McsHeartbeat.exe", "SAVAdminService.exe",
 45        "sav32cli.exe", "ForceUpdateAlongSideSGN.exe", "SAVCleanupService.exe", "SavMain.exe", "SavProgress.exe",
 46        "SavProxy.exe", "SavService.exe", "swc_service.exe", "swi_di.exe", "swi_service.exe", "swi_filter.exe",
 47        "ALUpdate.exe", "SophosUpdate.exe", "ALsvc.exe", "SophosAlert.exe", "osCheck.exe", "N360Downloader.exe",
 48        "InstWrap.exe", "symbos.exe", "nss.exe", "symcorpui.exe", "isPwdSvc.exe", "ccsvchst.exe", "ntrmv.exe",
 49        "pccntmon.exe", "AosUImanager.exe", "NTRTScan.exe", "TMAS_OL.exe", "TMAS_OLImp.exe", "TMAS_OLSentry.exe",
 50        "ufnavi.exe", "Clnrbin.exe", "vizorhtmldialog.exe", "pwmConsole.exe", "PwmSvc.exe", "coreServiceShell.exe",
 51        "ds_agent.exe", "SfCtlCom.exe", "MBAMHelper.exe", "cb.exe", "smc.exe", "tda.exe", "xagtnotif.exe", "ekrn.exe",
 52        "dsa.exe", "Notifier.exe", "rphcp.exe", "lc_sensor.exe", "CSFalconService.exe", "CSFalconController.exe",
 53        "SenseSampleUploader.exe", "windefend.exe", "MSASCui.exe", "MSASCuiL.exe", "msmpeng.exe", "msmpsvc.exe",
 54        "MsSense.exe", "esensor.exe", "sentinelone.exe", "tmccsf.exe", "csfalconcontainer.exe", "sensecncproxy.exe",
 55        "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe"
 56    )] with runs=5
 57'''
 58note = """## Triage and analysis
 59
 60> **Disclaimer**:
 61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 62
 63### Investigating Potential Evasion via Windows Filtering Platform
 64
 65The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics.
 66
 67### Possible investigation steps
 68
 69- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked.
 70- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query.
 71- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue.
 72- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications.
 73- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack.
 74- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert.
 75- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events.
 76
 77### False positive analysis
 78
 79- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts.
 80- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts.
 81- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats.
 82- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences.
 83- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods.
 84
 85### Response and remediation
 86
 87- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration.
 88- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations.
 89- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes.
 90- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats.
 91- Restore any affected security software to its default configuration and ensure it is fully operational and updated.
 92- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts.
 93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1562"
100name = "Impair Defenses"
101reference = "https://attack.mitre.org/techniques/T1562/"
102[[rule.threat.technique.subtechnique]]
103id = "T1562.004"
104name = "Disable or Modify System Firewall"
105reference = "https://attack.mitre.org/techniques/T1562/004/"
106
107
108
109[rule.threat.tactic]
110id = "TA0005"
111name = "Defense Evasion"
112reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential Evasion via Windows Filtering Platform

The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics.

Possible investigation steps

  • Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked.
  • Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query.
  • Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue.
  • Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications.
  • Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack.
  • Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert.
  • Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events.

False positive analysis

  • Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts.
  • Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts.
  • Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats.
  • Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences.
  • Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration.
  • Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations.
  • Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes.
  • Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats.
  • Restore any affected security software to its default configuration and ensure it is fully operational and updated.
  • Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.

References

Related rules

to-top