LoFP / administrator scripts or activity.

Techniques

• t1562
• t1562.004

Sample rules

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

• source: sigma
• technicques:
  • t1562
  • t1562.004

Description

Detects the addition of a new “Allow” firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as “New-NetFirewallRule”, or directly uses WMI CIM classes such as “MSFT_NetFirewallRule”.

Detection logic

condition: selection
selection:
  Action: 3
  EventID:
  - 2004
  - 2071
  - 2097
  ModifyingApplication|endswith: :\Windows\System32\wbem\WmiPrvSE.exe