Netsh Open FW Proxy Ports

Metadata

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/21

Modification Date

2020/10/21

Tactics

TA0005

Techniques

T1562.004

Tags

art.15e57006-79dd-46df-9bf9-31bc24fb5a80

Dataset Description

This dataset represents adversaries modifying the local FW by opening port for proxy.

Simulation Metadata

Tools

type

Name

Module

Manual

cmd

cmd

Adversary View

netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450
netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_netsh_fw_mod_open_ports.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.groupby(['Channel']).size().sort_values(ascending=False)