Potential Evasion via Windows Filtering Platform
Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/15"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint
13security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Evasion via Windows Filtering Platform"
20references = [
21 "https://github.com/dsnezhkov/shutter/tree/main",
22 "https://github.com/netero1010/EDRSilencer/tree/main",
23 "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/",
24 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157",
25 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152",
26]
27risk_score = 47
28rule_id = "92d3a04e-6487-4b62-892d-70e640a590dc"
29setup = """## Setup
30
31The 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).
32Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Filtering Platform Connection (Success,Failure)
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Defense Evasion",
8 "Data Source: Elastic Defend",
9 "Data Source: System",
10 "Resources: Investigation Guide",
11]
12type = "eql"
13
14query = '''
15sequence by winlog.computer_name with maxspan=1m
16 [network where host.os.type == "windows" and
17 event.action : ("windows-firewall-packet-block", "windows-firewall-packet-drop") and
18 process.name : (
19 "bdagent.exe", "bdreinit.exe", "pdscan.exe", "pdiface.exe", "BDSubWiz.exe", "ProductAgentService.exe",
20 "ProductAgentUI.exe", "WatchDog.exe", "CarbonBlackClientSetup.exe", "TrGUI.exe", "TracCAPI.exe", "cpmsi_tool.exe",
21 "trac.exe", "vna_install64.exe", "vna_utils.exe", "TracSrvWrapper.exe", "vsmon.exe", "p95tray.exe",
22 "CybereasonRansomFreeServiceHost.exe", "CrAmTray.exe", "minionhost.exe", "CybereasonSensor.exe", "CylanceUI.exe",
23 "CylanceProtectSetup.exe", "cylancesvc.exe", "cyupdate.exe", "elastic-agent.exe", "elastic-endpoint.exe",
24 "egui.exe", "minodlogin.exe", "emu-rep.exe", "emu_install.exe", "emu-cci.exe", "emu-gui.exe", "emu-uninstall.exe",
25 "ndep.exe", "spike.exe", "ecls.exe", "ecmd.exe", "ecomserver.exe", "eeclnt.exe", "eh64.exe", "EHttpSrv.exe",
26 "xagt.exe", "collectoragent.exe", "FSAEConfig.exe", "uninstalldcagent.exe", "rmon.exe", "fccomint.exe",
27 "fclanguageselector.exe", "fortifw.exe", "fcreg.exe", "fortitray.exe", "fcappdb.exe", "fcwizard.exe", "submitv.exe",
28 "av_task.exe", "fortiwf.exe", "fortiwadbd.exe", "fcauth.exe", "fcdblog.exe", "fcmgr.exe", "fortiwad.exe",
29 "fortiproxy.exe", "fortiscand.exe", "fortivpnst.exe", "ipsec.exe", "fcwscd7.exe", "fcasc.exe", "fchelper.exe",
30 "forticlient.exe","fcwsc.exe", "FortiClient.exe", "fmon.exe", "FSSOMA.exe", "FCVbltScan.exe", "FortiESNAC.exe",
31 "EPCUserAvatar.exe", "FortiAvatar.exe", "FortiClient_Diagnostic_Tool.exe", "FortiSSLVPNdaemon.exe", "avp.exe",
32 "FCConfig.exe", "avpsus.exe", "klnagent.exe", "klnsacwsrv.exe", "kl_platf.exe", "stpass.exe", "klnagwds.exe",
33 "mbae.exe", "mbae64.exe", "mbae-svc.exe", "mbae-uninstaller.exe", "mbaeLoader32.exe", "mbaeloader64.exe",
34 "mbam-dor.exe", "mbamgui.exe", "mbamservice.exe", "mbamtrayctrl.exe", "mbampt.exe", "mbamscheduler.exe",
35 "Coreinst.exe", "mbae-setup.exe", "mcupdate.exe", "ProtectedModuleHost.exe", "ESConfigTool.exe", "FWInstCheck.exe",
36 "FwWindowsFirewallHandler.exe", "mfeesp.exe", "mfefw.exe", "mfeProvisionModeUtility.exe", "mfetp.exe", "avpui.exe",
37 "WscAVExe.exe", "mcshield.exe", "McChHost.exe", "mfewc.exe", "mfewch.exe", "mfewcui.exe", "fwinfo.exe",
38 "mfecanary.exe", "mfefire.exe", "mfehidin.exe", "mfemms.exe", "mfevtps.exe", "mmsinfo.exe", "vtpinfo.exe",
39 "MarSetup.exe", "mctray.exe", "masvc.exe", "macmnsvc.exe", "McAPExe.exe", "McPvTray.exe", "mcods.exe",
40 "mcuicnt.exe", "mcuihost.exe", "xtray.exe", "McpService.exe", "epefprtrainer.exe", "mfeffcoreservice.exe",
41 "MfeEpeSvc.exe", "qualysagent.exe", "QualysProxy.exe", "QualysAgentUI.exe", "SVRTgui.exe", "SVRTcli.exe",
42 "SVRTcli.exe", "SVRTgui.exe", "SCTCleanupService.exe", "SVRTservice.exe", "native.exe", "SCTBootTasks.exe",
43 "ALMon.exe", "SAA.exe", "SUMService.exe", "ssp.exe", "SCFService.exe", "SCFManager.exe", "spa.exe", "cabarc.exe",
44 "sargui.exe", "sntpservice.exe", "McsClient.exe", "McsAgent.exe", "McsHeartbeat.exe", "SAVAdminService.exe",
45 "sav32cli.exe", "ForceUpdateAlongSideSGN.exe", "SAVCleanupService.exe", "SavMain.exe", "SavProgress.exe",
46 "SavProxy.exe", "SavService.exe", "swc_service.exe", "swi_di.exe", "swi_service.exe", "swi_filter.exe",
47 "ALUpdate.exe", "SophosUpdate.exe", "ALsvc.exe", "SophosAlert.exe", "osCheck.exe", "N360Downloader.exe",
48 "InstWrap.exe", "symbos.exe", "nss.exe", "symcorpui.exe", "isPwdSvc.exe", "ccsvchst.exe", "ntrmv.exe",
49 "pccntmon.exe", "AosUImanager.exe", "NTRTScan.exe", "TMAS_OL.exe", "TMAS_OLImp.exe", "TMAS_OLSentry.exe",
50 "ufnavi.exe", "Clnrbin.exe", "vizorhtmldialog.exe", "pwmConsole.exe", "PwmSvc.exe", "coreServiceShell.exe",
51 "ds_agent.exe", "SfCtlCom.exe", "MBAMHelper.exe", "cb.exe", "smc.exe", "tda.exe", "xagtnotif.exe", "ekrn.exe",
52 "dsa.exe", "Notifier.exe", "rphcp.exe", "lc_sensor.exe", "CSFalconService.exe", "CSFalconController.exe",
53 "SenseSampleUploader.exe", "windefend.exe", "MSASCui.exe", "MSASCuiL.exe", "msmpeng.exe", "msmpsvc.exe",
54 "MsSense.exe", "esensor.exe", "sentinelone.exe", "tmccsf.exe", "csfalconcontainer.exe", "sensecncproxy.exe",
55 "splunk.exe", "sysmon.exe", "sysmon64.exe", "taniumclient.exe"
56 )] with runs=5
57'''
58note = """## Triage and analysis
59
60> **Disclaimer**:
61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
62
63### Investigating Potential Evasion via Windows Filtering Platform
64
65The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics.
66
67### Possible investigation steps
68
69- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked.
70- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query.
71- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue.
72- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications.
73- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack.
74- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert.
75- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events.
76
77### False positive analysis
78
79- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts.
80- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts.
81- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats.
82- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences.
83- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods.
84
85### Response and remediation
86
87- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration.
88- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations.
89- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes.
90- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats.
91- Restore any affected security software to its default configuration and ensure it is fully operational and updated.
92- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts.
93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
94
95
96[[rule.threat]]
97framework = "MITRE ATT&CK"
98[[rule.threat.technique]]
99id = "T1562"
100name = "Impair Defenses"
101reference = "https://attack.mitre.org/techniques/T1562/"
102[[rule.threat.technique.subtechnique]]
103id = "T1562.004"
104name = "Disable or Modify System Firewall"
105reference = "https://attack.mitre.org/techniques/T1562/004/"
106
107
108
109[rule.threat.tactic]
110id = "TA0005"
111name = "Defense Evasion"
112reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Evasion via Windows Filtering Platform
The Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for network filtering and packet processing. Adversaries may exploit WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry data. The detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics.
Possible investigation steps
- Review the specific network events that triggered the alert, focusing on the event.action values "windows-firewall-packet-block" and "windows-firewall-packet-drop" to understand which processes were blocked.
- Identify the process names involved in the alert from the process.name field and verify if they are related to known endpoint security software, as listed in the query.
- Check the winlog.computer_name field to determine which systems are affected and assess if multiple systems are involved, indicating a broader issue.
- Investigate the recent changes to the Windows Filtering Platform rules on the affected systems to identify any unauthorized or suspicious modifications.
- Correlate the blocked events with any recent security incidents or alerts to determine if there is a pattern or ongoing attack.
- Consult system logs and security software logs on the affected systems for additional context or anomalies around the time of the alert.
- Engage with the system or network administrators to verify if any legitimate changes were made to the WFP rules that could explain the blocked events.
False positive analysis
- Security software updates or installations can trigger multiple block events as they modify network configurations. Users should monitor for these events during known update windows and consider excluding them from alerts.
- Legitimate network troubleshooting or diagnostic tools may temporarily block network traffic as part of their operation. Identify these tools and create exceptions for their processes to prevent false alerts.
- Custom security configurations or policies in enterprise environments might intentionally block certain network activities. Review and document these configurations to differentiate between expected behavior and potential threats.
- Temporary network disruptions or misconfigurations can cause legitimate security processes to be blocked. Regularly audit network settings and ensure they align with security policies to minimize these occurrences.
- Scheduled maintenance or testing of security systems might result in blocked events. Coordinate with IT teams to whitelist these activities during planned maintenance periods.
Response and remediation
- Immediately isolate the affected system from the network to prevent further malicious activity and data exfiltration.
- Terminate any suspicious processes identified in the alert, particularly those related to endpoint security software, to restore normal security operations.
- Review and remove any unauthorized or suspicious Windows Filtering Platform rules that may have been added to block security processes.
- Conduct a thorough scan of the affected system using a trusted antivirus or endpoint detection and response (EDR) tool to identify and remove any malware or persistent threats.
- Restore any affected security software to its default configuration and ensure it is fully operational and updated.
- Monitor network traffic and system logs for any signs of continued evasion tactics or re-infection attempts.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.
References
Related rules
- Attempt to Install Kali Linux via WSL
- Control Panel Process with Unusual Arguments
- Execution via Windows Subsystem for Linux
- ImageLoad via Windows Update Auto Update Client
- Microsoft Build Engine Started an Unusual Process