detection.wiki

Detection rules › Sigma

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Severity
high
Author
Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
Source
upstream

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.004 Impair Defenses: Disable or Modify System Firewall

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\netsh.exe'
OriginalFileName: netsh.exe

Stage 2: all of selection_cli

or:
CommandLine|contains: 'action=allow'
CommandLine|contains: add
CommandLine|contains: advfirewall
CommandLine|contains: firewall
CommandLine|contains: 'program='
CommandLine|contains: rule
CommandLine|contains: add
CommandLine|contains: allowedprogram
CommandLine|contains: firewall

Stage 3: all of selection_paths

or:
CommandLine|contains: '%Public%\'
CommandLine|contains: '%TEMP%'
CommandLine|contains: '%TMP%'
CommandLine|contains: ':\$Recycle.bin\'
CommandLine|contains: ':\RECYCLER.BIN\'
CommandLine|contains: ':\RECYCLERS.BIN\'
CommandLine|contains: ':\SystemVolumeInformation\'
CommandLine|contains: ':\Temp\'
CommandLine|contains: ':\Users\Default\'
CommandLine|contains: ':\Users\Desktop\'
CommandLine|contains: ':\Users\Public\'
CommandLine|contains: ':\Windows\Tasks\'
CommandLine|contains: ':\Windows\Temp\'
CommandLine|contains: ':\Windows\addins\'
CommandLine|contains: ':\Windows\cursors\'
CommandLine|contains: ':\Windows\debug\'
CommandLine|contains: ':\Windows\drivers\'
CommandLine|contains: ':\Windows\fonts\'
CommandLine|contains: ':\Windows\help\'
CommandLine|contains: ':\Windows\system32\tasks\'
CommandLine|contains: '\Downloads\'
CommandLine|contains: '\Local Settings\Temporary Internet Files\'
CommandLine|contains: '\Temporary Internet Files\Content.Outlook\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • %Public%\
  • %TEMP% corpus 2 (sigma 2)
  • %TMP% corpus 2 (sigma 2)
  • :\$Recycle.bin\
  • :\RECYCLER.BIN\
  • :\RECYCLERS.BIN\
  • :\SystemVolumeInformation\
  • :\Temp\ corpus 14 (sigma 14)
  • :\Users\Default\ corpus 3 (sigma 3)
  • :\Users\Desktop\
  • :\Users\Public\ corpus 14 (sigma 14)
  • :\Windows\Tasks\ corpus 6 (sigma 6)
  • :\Windows\Temp\ corpus 15 (sigma 15)
  • :\Windows\addins\
  • :\Windows\cursors\
  • :\Windows\debug\
  • :\Windows\drivers\
  • :\Windows\fonts\
  • :\Windows\help\
  • :\Windows\system32\tasks\
  • \Downloads\ corpus 12 (sigma 12)
  • \Local Settings\Temporary Internet Files\
  • \Temporary Internet Files\Content.Outlook\
  • action=allow
  • add corpus 16 (sigma 16)
  • advfirewall corpus 3 (sigma 3)
  • allowedprogram
  • firewall corpus 4 (sigma 4)
  • program=
  • rule corpus 2 (sigma 2)
Imageends_with
  • \netsh.exe corpus 16 (sigma 16)
OriginalFileNameeq
  • netsh.exe corpus 14 (sigma 14)