New Firewall Exception Rule Added For A Suspicious Folder

 1title: New Firewall Exception Rule Added For A Suspicious Folder
 2id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
 3related:
 4    - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
 5      type: derived
 6status: experimental
 7description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder
 8references:
 9    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
10    - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
11author: frack113
12date: 2023/02/26
13modified: 2023/05/30
14tags:
15    - attack.defense_evasion
16    - attack.t1562.004
17logsource:
18    product: windows
19    service: firewall-as
20detection:
21    selection:
22        EventID:
23            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
24            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
25        ApplicationPath|contains:
26            - '\AppData\'
27            - '\Temp\'
28    filter_main_block:
29        Action: 2
30    filter_optional_teams:
31        ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
32    filter_optional_keybase:
33        ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
34    filter_optional_messenger:
35        ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
36    filter_optional_opera:
37        ApplicationPath|startswith: 'C:\Users\'
38        ApplicationPath|contains: '\AppData\Local\Programs\Opera\'
39        ApplicationPath|endswith: '\opera.exe'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Any legitimate application that runs from the AppData user directory
43level: high