Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Sigma rule (View on GitHub)
1title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
2id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
3status: test
4description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
5references:
6 - https://www.virusradar.com/en/Win32_Kasidet.AD/description
7 - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
8author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
9date: 2020-05-25
10modified: 2023-12-11
11tags:
12 - attack.defense-evasion
13 - attack.t1562.004
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\netsh.exe'
20 - OriginalFileName: 'netsh.exe'
21 selection_cli:
22 - CommandLine|contains|all:
23 - 'firewall'
24 - 'add'
25 - 'allowedprogram'
26 - CommandLine|contains|all:
27 - 'advfirewall'
28 - 'firewall'
29 - 'add'
30 - 'rule'
31 - 'action=allow'
32 - 'program='
33 selection_paths:
34 CommandLine|contains:
35 - ':\$Recycle.bin\'
36 - ':\RECYCLER.BIN\'
37 - ':\RECYCLERS.BIN\'
38 - ':\SystemVolumeInformation\'
39 - ':\Temp\'
40 - ':\Users\Default\'
41 - ':\Users\Desktop\'
42 - ':\Users\Public\'
43 - ':\Windows\addins\'
44 - ':\Windows\cursors\'
45 - ':\Windows\debug\'
46 - ':\Windows\drivers\'
47 - ':\Windows\fonts\'
48 - ':\Windows\help\'
49 - ':\Windows\system32\tasks\'
50 - ':\Windows\Tasks\'
51 - ':\Windows\Temp\'
52 - '\Downloads\'
53 - '\Local Settings\Temporary Internet Files\'
54 - '\Temporary Internet Files\Content.Outlook\'
55 - '%Public%\'
56 - '%TEMP%'
57 - '%TMP%'
58 condition: all of selection_*
59falsepositives:
60 - Unknown
61level: high
References
Related rules
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry