SigmaHQ/rules/windows/process_creation/win_netsh_fw_add.yml

title: Netsh Port or Application Allowed
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
date: 2019/01/29
modified: 2020/09/01
tags:
    - attack.defense_evasion
    - attack.t1089          # an old one
    - attack.t1562.004
status: experimental
author: Markus Neis, Sander Wiebing
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '*netsh*'
    selection2:
        CommandLine:
            - '*firewall add*'
    condition: selection1 and selection2
falsepositives:
    - Legitimate administration
level: medium
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`title: Netsh Port or Application Allowed`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`description: Allow Incoming Connections by Port or Application on Windows Firewall`
			`references:`
			`- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)`
			`- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf`
			`date: 2019/01/29`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`modified: 2020/09/01`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`tags:`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`- attack.defense_evasion`
			`- attack.t1089 # an old one`
			`- attack.t1562.004`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`status: experimental`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`author: Markus Neis, Sander Wiebing`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`selection1:`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`CommandLine:`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`- 'netsh'`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`selection2:`
Add Windows Server 2008 and Windows Vista support It did not support the command `netsh advfirewall firewall add` 2020-05-25 08:02:13 +00:00			`CommandLine:`
			`- 'firewall add'`
Update win_netsh_fw_add.yml 2020-05-25 08:13:26 +00:00			`condition: selection1 and selection2`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`falsepositives:`
			`- Legitimate administration`
			`level: medium`