network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.

Techniques

Sample rules

Allow Inbound Traffic By Firewall Rule Registry

source: splunk
technicques:
- T1021.001
- T1021

Description

The following analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*
|Action=Allow
|*" Registry.registry_value_data = "*
|Dir=In
|*"  Registry.registry_value_data = "*
|LPort=*") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid  Registry.dest Registry.user 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `allow_inbound_traffic_by_firewall_rule_registry_filter`