New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
Sigma rule (View on GitHub)
1title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
2id: eca81e8d-09e1-4d04-8614-c91f44fd0519
3status: experimental
4description: |
5 Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
6 This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
9 - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
10 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2024-05-10
13tags:
14 - attack.defense-evasion
15 - attack.t1562.004
16logsource:
17 product: windows
18 service: firewall-as
19detection:
20 selection:
21 EventID:
22 - 2004 # A rule has been added to the Windows Defender Firewall exception list
23 - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
24 - 2097
25 Action: 3 # Allow
26 ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
27 condition: selection
28falsepositives:
29 - Administrator scripts or activity.
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector. While responding to a recent Rhysida ...
Read More
Related rules
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry