Firewall Rule Update Via Netsh.EXE

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

Sigma rule (View on GitHub)

 1title: Firewall Rule Update Via Netsh.EXE
 2id: a70dcb37-3bee-453a-99df-d0c683151be6
 3status: test
 4description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
 5references:
 6    - https://ss64.com/nt/netsh.html
 7author: X__Junior (Nextron Systems)
 8date: 2023-07-18
 9tags:
10    - attack.defense-evasion
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        - Image|endswith: '\netsh.exe'
17        - OriginalFileName: 'netsh.exe'
18    selection_cli:
19        CommandLine|contains|all:
20            # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes"
21            # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes"
22            - ' firewall '
23            - ' set '
24    condition: all of selection_*
25falsepositives:
26    - Legitimate administration activity
27    - Software installations and removal
28level: medium

References

  • Netsh - Windows CMD - SS64.com

    NETSH.exe (Network Shell) Configure Network Interfaces, Windows Firewall, Routing & remote access. Syntax NETSH [Context] [sub-Context] command Key The contexts and commands available vary by platf...


    Read More

Related rules

to-top