{"id":28072,"date":"2024-08-22T16:18:49","date_gmt":"2024-08-22T15:18:49","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/kuma-siem-improvement-2024q2\/28072\/"},"modified":"2024-08-22T16:18:49","modified_gmt":"2024-08-22T15:18:49","slug":"kuma-siem-improvement-2024q2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/kuma-siem-improvement-2024q2\/28072\/","title":{"rendered":"Expanding the functionality of our SIEM system"},"content":{"rendered":"<p>We meticulously study the techniques most frequently used by attackers, and promptly refine or add detection logic to our SIEM system to identify those technics. Specifically, in the update to the <a href=\"https:\/\/www.kaspersky.co.uk\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Unified Monitoring and Analysis Platform<\/a> released in the second quarter of 2024, we supplemented and expanded the logic for detecting the technique of disabling\/modifying a local firewall (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/004\/\" target=\"_blank\" rel=\"nofollow noopener\">Impair Defenses: Disable or Modify System Firewall T1562.004<\/a> in the MITRE classification), which ranks among the top <em>tactics, techniques, and procedures<\/em> (TTPs) used by attackers.<\/p>\n<h2>How attackers disable or modify a local firewall<\/h2>\n<p>The T1562.004 technique allows attackers to bypass defenses and gain the ability to connect to C2 servers over the network or enable an atypical application to have basic network access.<\/p>\n<p>There are two common methods for modifying or disabling the host firewall: (i) using the <em>netsh<\/em> utility, or (ii) modifying the Windows registry settings. Here are examples of popular command lines used by attackers for these purposes:<br>\n<\/p><div style=\"background-color: #e5f0ec; padding: 10px 25px; margin-bottom: 10px;\">\n<ul>\n<li>netsh firewall add allowedprogram<\/li>\n<li>netsh firewall set opmode mode=disable<\/li>\n<li>netsh advfirewall set currentprofile state off<\/li>\n<li>netsh advfirewall set allprofiles state off<\/li>\n<\/ul>\n<p><\/p><\/div><br>\nExample of a registry key and value added by attackers, allowing incoming UDP traffic for the application <em>C:Users&lt;user&gt;AppDataLocalTempserver.exe:<\/em>\n<p><\/p><div style=\"background-color: #e5f0ec; padding: 10px 25px; margin-bottom: 10px;\"><br>\nHKLMSYSTEMControlSet001servicesSharedAccessParametersFirewallPolicyFirewallRules\n<p>Registry_value_name: {20E9A179-7502-465F-99C4-CC85D61E7B23}<\/p>\n<p>Registry_value:\u2019v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:<\/p>\n<p>Users&lt;user&gt;AppDataLocalTempserver.exe|Name=server.exe|\u2019}<br>\n<\/p><\/div><br>\nAnother method attackers use to disable the Firewall is by stopping the mpssvc service. This is typically done with the net utility net stop mpssvc.<br>\n<div style=\"background-color: #e5f0ec; padding: 10px 25px; margin-bottom: 10px;\">net stop mpssvc<\/div>\n<h2>How our SIEM solution detects T1562.004<\/h2>\n<p>This is achieved using the new R240 rule; in particular, by detecting and correlating the following events:<\/p>\n<ul>\n<li>Attacker stopping the local firewall service to bypass its restrictions<\/li>\n<li>Attacker disabling or modifying the local firewall policy to bypass it (configuring or disabling the firewall via netsh.exe)<\/li>\n<li>Attacker changing local firewall rules through the registry to bypass its restrictions (modifying rules through the Windows registry)<\/li>\n<li>Attacker disabling the local firewall through the registry<\/li>\n<li>Attacker manipulating the local firewall by modifying its policies<\/li>\n<\/ul>\n<p>With its latest update, the platform now offers more than 605 rules, including 474 containing direct detection logic. We\u2019ve also refined 20 existing rules by fixing or adjusting their conditions.<\/p>\n<h2>Why we focus on the MITRE classification<\/h2>\n<p><a href=\"https:\/\/attack.mitre.org\/tactics\/enterprise\/\" target=\"_blank\" rel=\"nofollow noopener\">MITRE ATT&amp;CK for Enterprise<\/a> serves as the de facto industry standard guideline for classifying and describing cyberattacks and intrusions, and is made up of 201 techniques, 424 sub-techniques, and thousands of procedures. Therefore, when deciding how to further develop our SIEM platform \u2014 the Kaspersky Unified Monitoring and Analysis Platform \u2014 we rely, among other things, on the MITRE classification.<\/p>\n<p>As per our plan set out in a <a href=\"https:\/\/www.kaspersky.com\/blog\/unified-monitoring-and-analysis-normalizers-correlation-rules\/51421\/\" target=\"_blank\" rel=\"noopener nofollow\">previous post<\/a>, we\u2019ve started labeling current rules in accordance with MITRE attack methods and tactics \u2014 aiming to expand the system\u2019s functionality and reflect the level of protection against known threats. This is important because it allows us to structure the detection logic and ensure that the rules are comprehensive \u2014 with no \u201cblind spots\u201d. We also rely on MITRE when developing OOTB (out-of-the-box) content for our SIEM platform. Currently, our solution covers 309 MITRE ATT&amp;CK techniques and sub-techniques.<\/p>\n<h2>Other additions and improvements to the SIEM system<\/h2>\n<p>In addition to the detection logic for T1562.004 mentioned above, we\u2019ve added normalizers to the Kaspersky Unified Monitoring and Analysis Platform SIEM system to support the following event sources:<\/p>\n<ul>\n<li>[OOTB] Microsoft Products, [OOTB] Microsoft Products for Kaspersky Unified Monitoring and Analysis Platform 3, [OOTB] Microsoft Products via KES WIN: normalizers to process some events from the Security and System logs of the Microsoft Windows Server operating system. The [OOTB] Microsoft Products via KES WIN normalizer supports a limited number of audit event types transmitted to KUMA KES WIN 12.6 through syslog.<\/li>\n<li>[OOTB] Extreme Networks Summit Wireless Controller: a normalizer for certain audit events from the Extreme Networks Summit wireless controller (model: WM3700, firmware version: 5.5.5.0-018R).<\/li>\n<li>[OOTB] Kaspersky Security for MS Exchange SQL: a normalizer for Kaspersky Security for Exchange (KSE) version 9.0 system events stored in the database.<\/li>\n<li>[OOTB] TIONIX VDI file: a normalizer supporting the processing of some TIONIX VDI (version 2.8) system events stored in the tionix_lntmov.log file.<\/li>\n<li>[OOTB] SolarWinds Dameware MRC xml: a normalizer supporting the processing of some Dameware Mini Remote Control (MRC) version 7.5 system events stored in the Windows Application log. The normalizer processes events created by the \u201cdwmrcs\u201d provider.<\/li>\n<li>[OOTB] H3C Routers syslog: a normalizer for certain types of events coming from H3C (Huawei-3Com) SR6600 network devices (Comware 7 firmware) through syslog. The normalizer supports the \u201cstandard\u201d event format (RFC 3164-compliant format).<\/li>\n<li>[OOTB] Cisco WLC syslog: a normalizer for certain types of events coming from Cisco WLC network devices (2500 Series Wireless Controllers, 5500 Series Wireless Controllers, 8500 Series Wireless Controllers, Flex 7500 Series Wireless Controllers) through syslog.<\/li>\n<li>[OOTB] Huawei iManager 2000 file: a normalizer supporting the processing of some of the Huawei iManager 2000 system events stored in clientlogsrpc and clientlogsdeployossDeployment files.<\/li>\n<\/ul>\n<p>Our experts have also refined the following normalizers:<\/p>\n<ul>\n<li>For Microsoft products: the redesigned Windows normalizer is now publicly available.<\/li>\n<li>For the PT NAD system: a new normalizer has been developed for PT NAD versions 11.1, 11.0.<\/li>\n<li>For UNIX-like operating systems: additional event types are now supported.<\/li>\n<li>For Check Point: improvements to the normalizer supporting Check Point R81.<\/li>\n<li>For the Citrix NetScaler system: additional events from Citrix ADC 5550 \u2014 NS13.0 are now supported.<\/li>\n<li>For FreeIPA: the redesigned normalizer is now publicly available.<\/li>\n<\/ul>\n<p>In total, we now support around 250 sources, and we keep expanding this list while improving the quality of each connector. The full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform \u2014 version 3.2, can be found in the <a href=\"https:\/\/support.kaspersky.com\/help\/KUMA\/3.2\/en-US\/255782.htm\" target=\"_blank\" rel=\"nofollow noopener\">technical support section<\/a>. Information on out-of-the-box correlation rules is also available there.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"27611\">\n","protected":false},"excerpt":{"rendered":"<p>Detection of techniques for disabling or modifying a local firewall, and other enhancements to the Kaspersky Unified Monitoring and Analysis Platform.<\/p>\n","protected":false},"author":2757,"featured_media":28073,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360],"tags":[2518],"class_list":{"0":"post-28072","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-siem"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/kuma-siem-improvement-2024q2\/28072\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/kuma-siem-improvement-2024q2\/27896\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/kuma-siem-improvement-2024q2\/23191\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/kuma-siem-improvement-2024q2\/38066\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/kuma-siem-improvement-2024q2\/52011\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/kuma-siem-improvement-2024q2\/28199\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/kuma-siem-improvement-2024q2\/34005\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/kuma-siem-improvement-2024q2\/33667\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/siem\/","name":"SIEM"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/28072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2757"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=28072"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/28072\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/28073"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=28072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=28072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=28072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}