title: Netsh 
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
date: 2019/01/29
tags:
    - attack.lateral_movement
    - attack.command_and_control
    - attack.t1090 
status: experimental
author: Markus Neis
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - '*netsh firewall add*'
    condition: selection
falsepositives:
    - Legitimate administration
level: medium