Potential Evasion via Windows Filtering Platform
Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/15"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies multiple Windows Filtering Platform block events and where the process name is related to
13an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security
14from sending telemetry.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Evasion via Windows Filtering Platform"
21references = [
22 "https://github.com/dsnezhkov/shutter/tree/main",
23 "https://github.com/netero1010/EDRSilencer/tree/main",
24 "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/",
25 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157",
26 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"
27]
28risk_score = 47
29rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc"
30setup = """## Setup
31
32The 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).
33Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Filtering Platform Connection (Success,Failure)
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Defense Evasion",
8 "Data Source: Elastic Defend"
9]
10type = "eql"
11
12query = '''
13sequence by winlog.computer_name with maxspan=1m
14 [network where host.os.type == "windows" and
15 event.action : ("windows-firewall-packet-block", "windows-firewall-packet-drop") and
16 process.name : (
17 "bdagent.exe", "bdreinit.exe", "pdscan.exe", "pdiface.exe", "BDSubWiz.exe", "ProductAgentService.exe",
18 "ProductAgentUI.exe", "WatchDog.exe", "CarbonBlackClientSetup.exe", "TrGUI.exe", "TracCAPI.exe", "cpmsi_tool.exe",
19 "trac.exe", "vna_install64.exe", "vna_utils.exe", "TracSrvWrapper.exe", "vsmon.exe", "p95tray.exe",
20 "CybereasonRansomFreeServiceHost.exe", "CrAmTray.exe", "minionhost.exe", "CybereasonSensor.exe", "CylanceUI.exe",
21 "CylanceProtectSetup.exe", "cylancesvc.exe", "cyupdate.exe", "elastic-agent.exe", "elastic-endpoint.exe",
22 "egui.exe", "minodlogin.exe", "emu-rep.exe", "emu_install.exe", "emu-cci.exe", "emu-gui.exe", "emu-uninstall.exe",
23 "ndep.exe", "spike.exe", "ecls.exe", "ecmd.exe", "ecomserver.exe", "eeclnt.exe", "eh64.exe", "EHttpSrv.exe",
24 "xagt.exe", "collectoragent.exe", "FSAEConfig.exe", "uninstalldcagent.exe", "rmon.exe", "fccomint.exe",
25 "fclanguageselector.exe", "fortifw.exe", "fcreg.exe", "fortitray.exe", "fcappdb.exe", "fcwizard.exe", "submitv.exe",
26 "av_task.exe", "fortiwf.exe", "fortiwadbd.exe", "fcauth.exe", "fcdblog.exe", "fcmgr.exe", "fortiwad.exe",
27 "fortiproxy.exe", "fortiscand.exe", "fortivpnst.exe", "ipsec.exe", "fcwscd7.exe", "fcasc.exe", "fchelper.exe",
28 "forticlient.exe","fcwsc.exe", "FortiClient.exe", "fmon.exe", "FSSOMA.exe", "FCVbltScan.exe", "FortiESNAC.exe",
29 "EPCUserAvatar.exe", "FortiAvatar.exe", "FortiClient_Diagnostic_Tool.exe", "FortiSSLVPNdaemon.exe", "avp.exe",
30 "FCConfig.exe", "avpsus.exe", "klnagent.exe", "klnsacwsrv.exe", "kl_platf.exe", "stpass.exe", "klnagwds.exe",
31 "mbae.exe", "mbae64.exe", "mbae-svc.exe", "mbae-uninstaller.exe", "mbaeLoader32.exe", "mbaeloader64.exe",
32 "mbam-dor.exe", "mbamgui.exe", "mbamservice.exe", "mbamtrayctrl.exe", "mbampt.exe", "mbamscheduler.exe",
33 "Coreinst.exe", "mbae-setup.exe", "mcupdate.exe", "ProtectedModuleHost.exe", "ESConfigTool.exe", "FWInstCheck.exe",
34 "FwWindowsFirewallHandler.exe", "mfeesp.exe", "mfefw.exe", "mfeProvisionModeUtility.exe", "mfetp.exe", "avpui.exe",
35 "WscAVExe.exe", "mcshield.exe", "McChHost.exe", "mfewc.exe", "mfewch.exe", "mfewcui.exe", "fwinfo.exe",
36 "mfecanary.exe", "mfefire.exe", "mfehidin.exe", "mfemms.exe", "mfevtps.exe", "mmsinfo.exe", "vtpinfo.exe",
37 "MarSetup.exe", "mctray.exe", "masvc.exe", "macmnsvc.exe", "McAPExe.exe", "McPvTray.exe", "mcods.exe",
38 "mcuicnt.exe", "mcuihost.exe", "xtray.exe", "McpService.exe", "epefprtrainer.exe", "mfeffcoreservice.exe",
39 "MfeEpeSvc.exe", "qualysagent.exe", "QualysProxy.exe", "QualysAgentUI.exe", "SVRTgui.exe", "SVRTcli.exe",
40 "SVRTcli.exe", "SVRTgui.exe", "SCTCleanupService.exe", "SVRTservice.exe", "native.exe", "SCTBootTasks.exe",
41 "ALMon.exe", "SAA.exe", "SUMService.exe", "ssp.exe", "SCFService.exe", "SCFManager.exe", "spa.exe", "cabarc.exe",
42 "sargui.exe", "sntpservice.exe", "McsClient.exe", "McsAgent.exe", "McsHeartbeat.exe", "SAVAdminService.exe",
43 "sav32cli.exe", "ForceUpdateAlongSideSGN.exe", "SAVCleanupService.exe", "SavMain.exe", "SavProgress.exe",
44 "SavProxy.exe", "SavService.exe", "swc_service.exe", "swi_di.exe", "swi_service.exe", "swi_filter.exe",
45 "ALUpdate.exe", "SophosUpdate.exe", "ALsvc.exe", "SophosAlert.exe", "osCheck.exe", "N360Downloader.exe",
46 "InstWrap.exe", "symbos.exe", "nss.exe", "symcorpui.exe", "isPwdSvc.exe", "ccsvchst.exe", "ntrmv.exe",
47 "pccntmon.exe", "AosUImanager.exe", "NTRTScan.exe", "TMAS_OL.exe", "TMAS_OLImp.exe", "TMAS_OLSentry.exe",
48 "ufnavi.exe", "Clnrbin.exe", "vizorhtmldialog.exe", "pwmConsole.exe", "PwmSvc.exe", "coreServiceShell.exe",
49 "ds_agent.exe", "SfCtlCom.exe", "MBAMHelper.exe", "cb.exe", "smc.exe", "tda.exe", "xagtnotif.exe", "ekrn.exe",
50 "dsa.exe", "Notifier.exe", "rphcp.exe", "lc_sensor.exe", "CSFalconService.exe", "CSFalconController.exe",
51 "SenseSampleUploader.exe", "windefend.exe", "MSASCui.exe", "MSASCuiL.exe", "msmpeng.exe", "msmpsvc.exe",
52 "MsSense.exe", "esensor.exe", "sentinelone.exe", "tmccsf.exe", "csfalconcontainer.exe", "sensecncproxy.exe",
53 "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe"
54 )] with runs=5
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1562"
62name = "Impair Defenses"
63reference = "https://attack.mitre.org/techniques/T1562/"
64[[rule.threat.technique.subtechnique]]
65id = "T1562.004"
66name = "Disable or Modify System Firewall"
67reference = "https://attack.mitre.org/techniques/T1562/004/"
68
69
70
71[rule.threat.tactic]
72id = "TA0005"
73name = "Defense Evasion"
74reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs