Attackers can use Windows Firewall to block EDR telemetry leaving the endpoint. Read-on for how this is mitigated.
Risk background
As well as the usual source and destination variables, Windows Firewall can also block outbound communication based on the service name or program that initiates the communication.
An attacker with elevated endpoint access will want to shut down Defender EDR as soon as possible and one method is to block the client agent communication with the cloud service.
The following PowerShell commands can achieve this, blocking outbound TCP/443 from:
- WinDefend service (main MDAV process)
- SenseCNDProxy process (acts as a communication broker)
- MSSense process (Main MDE process)
# PowerShell commands to Disable outbound 443 from MDE agent to cloud service
New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block
Mitigation
1 - Tamper Protection
The most important mitigation is to enable MDE Tamper Protection.
Tamper protection prevents users with elevated rights on the endpoint making changes to the MDE client configuration. Tamper Projection includes prevention of local firewall rules affecting MDE processes. If you run the commands above, MDE will generate an alert and block the changes.
Enable Tamper Protection as follows:
MDE Security Portal > Settings > Endpoints > Advanced Features > Tamper Protection = On
2- Firewall Rule Merging
Windows Firewall local rule merging should be disabled to prevent local changes.
The Windows Firewall has Rule Sources. For example, Group Policy is one rule source and local rules are another. When the Firewall is managed by GPO or Intune, it still allows local rule merging by default.
When rule merging is enabled, local block rules can over-ride policy-based allow rules. Similarly, local allow rules can override policy-based profile defaults (profile defaults are initial rules applied to each profile - Domain / Private / Public).
Disable Local Rule Merging as follows:
Group Policy Editor:
Computer Configuration > Security Settings > Windows Firewall with Advanced Security > Properties > Settings > [PROFILE NAME] > Settings > Apply local firewall rules = No
Intune Policy:
Endpoint security > Firewall > Create policy > Create a profile > Windows 10 / 11 / Server > Microsoft Defender Firewall > [Provide a Name] > Allow local policy merge = False
Summary
With Tamper Protection enabled and Windows Firewall local rule merging disabled, the chances of at attacker abusing firewall rules are slim.
This article was originally posted on Write-Verbose.com