SigmaHQ/rules/windows/process_creation/win_netsh_fw_add.yml

title: Netsh Port or Application Allowed
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
date: 2019/01/29
tags:
    - attack.lateral_movement
    - attack.command_and_control
    - attack.t1090 
status: experimental
author: Markus Neis, Sander Wiebing
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '*netsh*'
    selection2:
        CommandLine:
            - '*firewall add*'
    condition: selection1 and selection2
falsepositives:
    - Legitimate administration
level: medium
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`title: Netsh Port or Application Allowed`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`description: Allow Incoming Connections by Port or Application on Windows Firewall`
			`references:`
			`- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)`
			`- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf`
			`date: 2019/01/29`
			`tags:`
			`- attack.lateral_movement`
			`- attack.command_and_control`
			`- attack.t1090`
			`status: experimental`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`author: Markus Neis, Sander Wiebing`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`selection1:`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`CommandLine:`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`- 'netsh'`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`selection2:`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`CommandLine:`
			`- 'firewall add'`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`condition: selection1 and selection2`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`falsepositives:`
			`- Legitimate administration`
			`level: medium`