New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

calendar Jan 23, 2024 · attack.defense_evasion attack.t1562.004  ·
Share on: linkedin copy

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

Sigma rule (View on GitHub)

 1title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
 2id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
 3related:
 4    - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
 5      type: derived
 6status: experimental
 7description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
 8references:
 9    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
10    - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
11author: frack113
12date: 2023/02/26
13modified: 2024/01/22
14tags:
15    - attack.defense_evasion
16    - attack.t1562.004
17logsource:
18    product: windows
19    service: firewall-as
20detection:
21    selection:
22        EventID:
23            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
24            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
25        ApplicationPath|contains:
26            - ':\PerfLogs\'
27            - ':\Temp\'
28            - ':\Users\Public\'
29            - ':\Windows\Tasks\'
30            - ':\Windows\Temp\'
31            - '\AppData\Local\Temp\'
32    filter_main_block:
33        Action: 2
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top