administrator may allow inbound traffic in certain network or machine.

t1021
t1021.001
endpoint
splunk

Techniques

T1021
T1021.001

Sample rules

Allow Inbound Traffic In Firewall Rule

source: splunk
technicques:
- T1021.001
- T1021

Description

The following analytic identifies suspicious PowerShell command to allow inbound traffic inbound to a specific local port within the public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText = "*Inbound*" ScriptBlockText = "*Allow*"  ScriptBlockText = "*-LocalPort*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `allow_inbound_traffic_in_firewall_rule_filter`