New Firewall Exception Rule Added For A Suspicious Folder
Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder
Sigma rule (View on GitHub)
1title: New Firewall Exception Rule Added For A Suspicious Folder
2id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
3related:
4 - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
5 type: derived
6status: experimental
7description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder
8references:
9 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
10 - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
11author: frack113
12date: 2023/02/26
13modified: 2023/05/30
14tags:
15 - attack.defense_evasion
16 - attack.t1562.004
17logsource:
18 product: windows
19 service: firewall-as
20detection:
21 selection:
22 EventID:
23 - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
24 - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
25 ApplicationPath|contains:
26 - '\AppData\'
27 - '\Temp\'
28 filter_main_block:
29 Action: 2
30 filter_optional_teams:
31 ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
32 filter_optional_keybase:
33 ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
34 filter_optional_messenger:
35 ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
36 filter_optional_opera:
37 ApplicationPath|startswith: 'C:\Users\'
38 ApplicationPath|contains: '\AppData\Local\Programs\Opera\'
39 ApplicationPath|endswith: '\opera.exe'
40 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42 - Any legitimate application that runs from the AppData user directory
43level: high
References
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Firewall Rule Modified In The Windows Firewall Exception List
- The Windows Defender Firewall Service Failed To Load Group Policy
- Windows Defender Firewall Has Been Reset To Its Default Configuration