New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
Sigma rule (View on GitHub)
1title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
2id: eca81e8d-09e1-4d04-8614-c91f44fd0519
3status: experimental
4description: |
5 Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
6 This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
9 - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
10 - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2024/05/10
13tags:
14 - attack.defense_evasion
15 - attack.t1562.004
16logsource:
17 product: windows
18 service: firewall-as
19detection:
20 selection:
21 EventID:
22 - 2004 # A rule has been added to the Windows Defender Firewall exception list
23 - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
24 - 2097
25 Action: 3 # Allow
26 ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
27 condition: selection
28falsepositives:
29 - Administrator scripts or activity.
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector. While responding to a recent Rhysida ...
Read More -
Rhysida, a new ransomware group, hit its first victim in May 2023. They use their ransomware, offered as RaaS (Ransomware-as-a-Service), with at least 50 global victims listed on their website.
Read More
Related rules
- Disable Microsoft Defender Firewall via Registry
- Firewall Rule Deleted Via Netsh.EXE
- Modify System Firewall
- New Firewall Rule Added Via Netsh.EXE
- RDP Connection Allowed Via Netsh.EXE