valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
93b867024c
SigmaHQ/rules/windows/process_creation/win_netsh_fw_add.yml
Florian Roth e473efb7c3
Trying to fix ATT&CK framework tag
2019-04-01 10:36:35 +02:00

24 lines
698 B
YAML
Raw Blame History

title: Netsh
description: Allow Incoming Connections by Port or Application on Windows Firewall
references:
- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
date: 2019/01/29
tags:
- attack.lateral_movement
- attack.command_and_control
- attack.t1090
status: experimental
author: Markus Neis
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*netsh firewall add*'
condition: selection
falsepositives:
- Legitimate administration
level: medium
Reference in New Issue View Git Blame Copy Permalink