forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
disable_windows_fw.py
40 lines (27 loc) · 1.22 KB
/
disable_windows_fw.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
# Name: Disable Windows Firewall
# RTA: disable_windows_fw.py
# ATT&CK: T1089
# signal.rule.name: Disable Windows Firewall Rules via Netsh
# Description: Uses netsh.exe to backup, disable and restore firewall rules.
import os
from . import common
@common.requires_os(common.WINDOWS)
def main():
common.log("NetSH Advanced Firewall Configuration", log_type="~")
netsh = "netsh.exe"
rules_file = os.path.abspath("fw.rules")
# Check to be sure that fw.rules does not already exist from previously running this script
common.remove_file(rules_file)
common.log("Backing up rules")
common.execute([netsh, "advfirewall", "export", rules_file])
common.log("Disabling the firewall")
common.execute([netsh, "advfirewall", "set", "allprofiles", "state", "off"])
common.log("Undoing the firewall change", log_type="-")
common.execute([netsh, "advfirewall", "import", rules_file])
common.remove_file(rules_file)
if __name__ == "__main__":
exit(main())