legitimate administration activity

Techniques

Sample rules

RDP Connection Allowed Via Netsh.EXE

source: sigma
technicques:
- t1562
- t1562.004

Description

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - portopening
  - allow
  CommandLine|contains|all:
  - 'firewall '
  - 'add '
  - 'tcp '
  - '3389'
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

New Firewall Rule Added Via Netsh.EXE

source: sigma
technicques:
- t1562
- t1562.004

Description

Detects the addition of a new rule to the Windows firewall via netsh

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_dropbox:
  CommandLine|contains:
  - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program
    Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
  - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program
    Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
selection_cli:
  CommandLine|contains|all:
  - ' firewall '
  - ' add '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Netsh Allow Group Policy on Microsoft Defender Firewall

source: sigma
technicques:
- t1562
- t1562.004

Description

Adversaries may modify system firewalls in order to bypass controls limiting network usage

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - advfirewall
  - firewall
  - set
  - rule
  - group=
  - new
  - enable=Yes
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Firewall Rule Update Via Netsh.EXE

source: sigma
technicques:

Description

Detects execution of netsh with the “advfirewall” and the “set” option in order to set new values for properties of a existing rule

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - ' firewall '
  - ' set '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

New Port Forwarding Rule Added Via Netsh.EXE

source: sigma
technicques:
- t1090

Description

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Detection logic

condition: selection_img and 1 of selection_cli_*
selection_cli_1:
  CommandLine|contains|all:
  - interface
  - portproxy
  - add
  - v4tov4
selection_cli_2:
  CommandLine|contains|all:
  - 'i '
  - 'p '
  - 'a '
  - 'v '
selection_cli_3:
  CommandLine|contains|all:
  - connectp
  - listena
  - c=
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Firewall Rule Deleted Via Netsh.EXE

source: sigma
technicques:
- t1562
- t1562.004

Description

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_dropbox:
  CommandLine|contains: name=Dropbox
  ParentImage|endswith: \Dropbox.exe
selection_cli:
  CommandLine|contains|all:
  - firewall
  - 'delete '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

New Network Trace Capture Started Via Netsh.EXE

source: sigma
technicques:
- t1040

Description

Detects the execution of netsh with the “trace” flag in order to start a network capture

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - trace
  - start
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Firewall Disabled via Netsh.EXE

source: sigma
technicques:
- t1562
- t1562.004

Description

Detects netsh commands that turns off the Windows firewall

Detection logic

condition: selection_img and 1 of selection_cli_*
selection_cli_1:
  CommandLine|contains|all:
  - firewall
  - set
  - opmode
  - disable
selection_cli_2:
  CommandLine|contains|all:
  - advfirewall
  - set
  - state
  - 'off'
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

Nltest.EXE Execution

source: sigma
technicques:
- t1016
- t1018
- t1482

Description

Detects nltest commands that can be used for information discovery

Detection logic

condition: selection
selection:
- Image|endswith: \nltest.exe
- OriginalFileName: nltestrk.exe

RDP Port Forwarding Rule Added Via Netsh.EXE

source: sigma
technicques:
- t1090

Description

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - ' i'
  - ' p'
  - =3389
  - ' c'
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe