
Summary
This detection rule focuses on identifying suspicious modifications made to the firewall settings of a machine, specifically allowing network discovery through the manipulation of the 'netsh' command. It utilizes data collected from Endpoint Detection and Response (EDR) agents, processing command-line execution logs to determine if any unauthorized enabling of network discovery has occurred. This type of modification is particularly concerning as it is a tactic frequently employed by ransomware groups, such as REvil and BlackByte, to locate and compromise additional devices within a network. Early detection of such modifications can significantly mitigate the risk of larger incidents, such as file encryption across multiple machines, that may lead to widespread ramifications for the organization.
Categories
- Endpoint
Data Sources
- Pod
- User Account
- Process
- Network Traffic
ATT&CK Techniques
- T1562.007
- T1562
Created: 2024-11-13