New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

Sigma rule (View on GitHub)

 1title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
 2id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
 3related:
 4    - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
 5      type: derived
 6status: experimental
 7description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
 8references:
 9    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
10    - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
11author: frack113
12date: 2023/02/26
13modified: 2024/05/10
14tags:
15    - attack.defense_evasion
16    - attack.t1562.004
17logsource:
18    product: windows
19    service: firewall-as
20detection:
21    selection:
22        EventID:
23            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
24            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
25            - 2097
26        ApplicationPath|contains:
27            - ':\PerfLogs\'
28            - ':\Temp\'
29            - ':\Tmp\'
30            - ':\Users\Public\'
31            - ':\Windows\Tasks\'
32            - ':\Windows\Temp\'
33            - '\AppData\Local\Temp\'
34    filter_main_block:
35        Action: 2 # Block
36    condition: selection and not 1 of filter_main_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top