Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Dec 21, 2023 · attack.defense_evasion attack.t1562.004 ·

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

Sigma rule (View on GitHub)

 1title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
 2id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
 3status: test
 4description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
 5references:
 6    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
 7    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
 8author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 9date: 2020/05/25
10modified: 2023/12/11
11tags:
12    - attack.defense_evasion
13    - attack.t1562.004
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\netsh.exe'
20        - OriginalFileName: 'netsh.exe'
21    selection_cli:
22        - CommandLine|contains|all:
23              - 'firewall'
24              - 'add'
25              - 'allowedprogram'
26        - CommandLine|contains|all:
27              - 'advfirewall'
28              - 'firewall'
29              - 'add'
30              - 'rule'
31              - 'action=allow'
32              - 'program='
33    selection_paths:
34        CommandLine|contains:
35            - ':\$Recycle.bin\'
36            - ':\RECYCLER.BIN\'
37            - ':\RECYCLERS.BIN\'
38            - ':\SystemVolumeInformation\'
39            - ':\Temp\'
40            - ':\Users\Default\'
41            - ':\Users\Desktop\'
42            - ':\Users\Public\'
43            - ':\Windows\addins\'
44            - ':\Windows\cursors\'
45            - ':\Windows\debug\'
46            - ':\Windows\drivers\'
47            - ':\Windows\fonts\'
48            - ':\Windows\help\'
49            - ':\Windows\system32\tasks\'
50            - ':\Windows\Tasks\'
51            - ':\Windows\Temp\'
52            - '\Downloads\'
53            - '\Local Settings\Temporary Internet Files\'
54            - '\Temporary Internet Files\Content.Outlook\'
55            - '%Public%\'
56            - '%TEMP%'
57            - '%TMP%'
58    condition: all of selection_*
59falsepositives:
60    - Unknown
61level: high

References

About ESET Research

Security research and breaking news straight from ESET Research Labs

Read More
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'taskmgr.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

Read More

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Sigma rule (View on GitHub)

References

About ESET Research

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'taskmgr.exe'

Related rules