Techniques
Sample rules
New Firewall Rule Added Via Netsh.EXE
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects the addition of a new rule to the Windows firewall via netsh
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_dropbox:
CommandLine|contains:
- advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program
Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
- advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program
Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
selection_cli:
CommandLine|contains|all:
- ' firewall '
- ' add '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe