New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
Sigma rule (View on GitHub)
1title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
2id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
3related:
4 - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
5 type: derived
6status: experimental
7description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
8references:
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
10 - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
11author: frack113
12date: 2023-02-26
13modified: 2024-05-10
14tags:
15 - attack.defense-evasion
16 - attack.t1562.004
17logsource:
18 product: windows
19 service: firewall-as
20detection:
21 selection:
22 EventID:
23 - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
24 - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
25 - 2097
26 ApplicationPath|contains:
27 - ':\PerfLogs\'
28 - ':\Temp\'
29 - ':\Tmp\'
30 - ':\Users\Public\'
31 - ':\Windows\Tasks\'
32 - ':\Windows\Temp\'
33 - '\AppData\Local\Temp\'
34 filter_main_block:
35 Action: 2 # Block
36 condition: selection and not 1 of filter_main_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall