Techniques
Sample rules
Allow Inbound Traffic By Firewall Rule Registry
- source: splunk
- technicques:
- T1021.001
- T1021
Description
The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*
|Action=Allow
|*" Registry.registry_value_data = "*
|Dir=In
|*" Registry.registry_value_data = "*
|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `allow_inbound_traffic_by_firewall_rule_registry_filter`