Palo Alto Alert Details
Alert ID: PAN-DISABLE-FIREWALL-1562-7842 Alert Time: 2024-03-08 14:15:33 EST Severity: CRITICAL (96/100) Source: Palo Alto Networks Firewall + Cortex XDR Rule: “Windows Firewall Disabled – Potential Defense Evasion” MITRE ATT&CK: T1562.004 – Impair Defenses: Disable or Modify System Firewall
Alert Details:
Detection: Windows Firewall disabled on multiple critical servers
Affected Hosts:
SQL-SRV-01 (SQL Server)
WEB-SRV-01 (Web Server)
FILESRV-01 (File Server)
DC-01 (Domain Controller) Time: 14:00-14:15 EST
Events (from Cortex XDR):
Host: SQL-SRV-01
14:05:22 – Command: netsh advfirewall set allprofiles state off
14:05:25 – Registry: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall set to 0
14:05:28 – Service: MpsSvc (Windows Firewall) stopped
Host: WEB-SRV-01
14:07:45 – Command: netsh advfirewall set allprofiles state off
14:07:48 – Registry modified
14:07:50 – Service stopped
Host: FILESRV-01
14:10:12 – Same pattern
Host: DC-01
14:12:38 – Same pattern
Source of Commands:
All commands originated from compromised admin workstation (192.168.45.78)
Using PsExec to execute on each server
Attacker IP (external): 185.143.221[.]89 (connected to admin workstation)
Detection Logic:
Windows Firewall disabled on multiple critical servers
Pattern matches attacker preparing for lateral movement or ransomware
Firewall disabled allows unrestricted C2 communication
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto/Cortex alerts
Cortex XDR
Confirmed firewall disabled on 4 servers
2. Immediate Action
Isolate compromised admin workstation
CrowdStrike
Admin workstation quarantined
3. Re-enable Firewall
Enable firewall on all affected servers
PowerShell (Invoke-Command)
Firewall re-enabled on all 4 servers
4. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Verification
Confirm firewall status
PowerShell
All firewalls enabled and active
Jira Incident Report
Ticket: SOC-2024-187 Summary: T1562.004 – Windows Firewall Disabled on 4 Critical Servers Status: RESOLVED Resolution: MALICIOUS – Firewall Restored Priority: P1 – CRITICAL Labels: T1562, disable-firewall, netsh, defense-evasion, compromised-admin Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Cortex XDR.
Alert: “Windows Firewall Disabled – Potential Defense Evasion”.
Hosts: SQL-SRV-01, WEB-SRV-01, FILESRV-01, DC-01.
Action: Windows Firewall disabled via netsh.
Time: 2024-03-08 14:15 EST.
Technique: MITRE ATT&CK T1562.004 – Impair Defenses: Disable or Modify System Firewall.
2. Technical Analysis:
Attack Chain:
13:30 – Admin account (kwilson) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker enumerates critical servers
14:00-14:15 – Uses PsExec to disable firewall on each server
14:15 – Cortex XDR detects
Firewall Disablement:
Command: netsh advfirewall set allprofiles state off
Registry: HKLM\…\EnableFirewall set to 0
Service: MpsSvc stopped
Result: All inbound/outbound traffic allowed
Attacker Intent:
Allow unrestricted C2 communication
Enable lateral movement without restrictions
Prepare for ransomware deployment
Compromised Admin:
kwilson (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – Server enumeration
14:00-14:15 – Firewall disablement
14:15 – Alert
14:17 – SOC investigates
14:18 – Admin workstation isolated
14:19 – Firewall re-enabled on all servers
Indicators of Compromise (IoCs):
Commands:
– netsh advfirewall set allprofiles state off
– sc stop MpsSvc
Registry:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 0
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated compromised admin workstation.
Re-enabled firewall on all 4 servers using PowerShell (Invoke-Command).
Restarted MpsSvc service.
Verified firewall status.
Disabled kwilson account.
Reset password.
Blocked attacker IP.
Verification:
Confirmed firewall active on all servers.
No persistent changes found.
Host Remediation:
Full scan on admin workstation (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to critical servers.
6. Business Impact:
Operational Impact: Servers exposed for ~15 minutes.
Data Exposure: No evidence of data theft.
7. Remediation & Prevention:
Completed Actions:
Firewall restored.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for firewall disablement.
Implemented change management for firewall rules.
8. Conclusion:
An attacker compromised an admin account and disabled Windows Firewall on four critical servers to pave the way for further attacks. Cortex XDR detected the changes, enabling rapid restoration. No data was exfiltrated.
Closure Rationale: Firewall restored; account secured; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 15:30 EST