The release of this old blog is prompted by this nice article on silencing Microsoft Defender for Endpoint (previously Microsoft Defender ATP) using firewall rules.
The author of that blog pointed how he didn’t found a proper way of detecting the creation of firewall rules. As pointed by him, Event ID 4947 only shows the RuleId and RuleName, but not the rule content. This blog is my attempt to possibly solve it.
A while back I had asked myself the same question. How to reliably detect addition of new Firewall rules as a Blue Teamer. I thought that since every configuration details in Windows is housed somewhere in the Registry, I could simply enable registry auditing for that object.
A quick google search led me to this useful article. That article shows the firewall rules are stored in the registry at
HKLM\System\CurrentlControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules.
Now, I just had to make sure the following steps were satisfied:
- Registry auditing was enabled with the Event ID of interest being 4657 (A registry value was modified).
- Setup appropriate SACL for the registry path
HKLM\System\CurrentlControlSet\Services\SharedAccess\Parameters
\FirewallPolicy\FirewallRules.
Be careful: If you don’t satisfy step 2 then, no any Event ID 4657 are generated even if you had enabled Registry auditing.
Just for example, I set up auditing of write operations on that registry object by users of Authenticated Users group.
Now, I just had to fire the PowerShell commands to create a new firewall rule to block WinDefend service from creating outbound connection to TCP port 443.
New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound
-Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
So, after running this, the generated Event ID 4657 event log is shown below:
In my SIEM, I see the following:
EventSource=Windows EventID=4657 Category=Registry ObjectName="*\FirewallPolicy\FirewallRules"
OperationType="%%1904"
| table EventTime, ObjectName, ObjectValue, NewValue
PS: “%%1904” in OperationType signifies a new entry was added.
Now, I just need to tidy up that NewValue data with some post processing in my SIEM.
EventSource=Windows EventID=4657 Category=Registry ObjectName="*\FirewallPolicy\FirewallRules"
OperationType="%%1904"
| norm on NewValue <:all>Action=<action:all>Active=<active:all>Dir=<direction:all>Protocol=<proto:all>Port=<port:all>Svc=<service:all>Name<rule:string><:'\|'>
| eval ("protocol = if (proto == 6)
{ return 'TCP' } else
{return 'UDP'}")
| table action, active, direction, protocol, port, service, rule
Conclusion
Detecting tampering of an endpoint’s Firewall configuration is crucial for any enterprise defender. Implementing proper detection-in-depth in your enterprise will make life difficult for threat actors targeting your organization.