Techniques
Sample rules
Firewall Rule Update Via Netsh.EXE
- source: sigma
- technicques:
Description
Detects execution of netsh with the “advfirewall” and the “set” option in order to set new values for properties of a existing rule
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' firewall '
- ' set '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
Firewall Rule Deleted Via Netsh.EXE
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_dropbox:
CommandLine|contains: name=Dropbox
ParentImage|endswith: \Dropbox.exe
selection_cli:
CommandLine|contains|all:
- firewall
- 'delete '
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe