Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Sigma rule (View on GitHub)
1title: Firewall Configuration Discovery Via Netsh.EXE
2id: 0e4164da-94bc-450d-a7be-a4b176179f1f
3status: test
4description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
7 - https://ss64.com/nt/netsh.html
8author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
9date: 2021-12-07
10modified: 2023-12-11
11tags:
12 - attack.discovery
13 - attack.t1016
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\netsh.exe'
20 - OriginalFileName: 'netsh.exe'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'netsh '
24 - 'show '
25 - 'firewall '
26 CommandLine|contains:
27 - 'config '
28 - 'state '
29 - 'rule '
30 - 'name=all'
31 condition: all of selection_*
32falsepositives:
33 - Administrative activity
34level: low
References
Related rules
- System Network Discovery - macOS
- Cisco Discovery
- Nltest.EXE Execution
- OpenCanary - SNMP OID Request
- Potential Recon Activity Via Nltest.EXE