Uncommon New Firewall Rule Added In Windows Firewall Exception List

Severity: medium
Author: frack113
Source: upstream

Detects when a rule has been added to the Windows Firewall exception list

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.004` Impair Defenses: Disable or Modify System Firewall

Event coverage

Provider	Event ID	Title
Windows-Firewall-With-Advanced-Security	2004
Windows-Firewall-With-Advanced-Security	2071
Windows-Firewall-With-Advanced-Security	2097

Stages and Predicates

Stage 1: `selection`

Stage 2: `not 1 of filter_main_*`

or:
ApplicationPath: System
ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
ModifyingApplication|endswith: '\TiWorker.exe'
ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
Action: 2
ApplicationPath: null
ApplicationPath|contains: 'C:\PerfLogs\'
ApplicationPath|contains: 'C:\Temp\'
ApplicationPath|contains: 'C:\Tmp\'
ApplicationPath|contains: 'C:\Users\Public\'
ApplicationPath|contains: 'C:\Windows\Tasks\'
ApplicationPath|contains: 'C:\Windows\Temp\'
ApplicationPath|contains: '\AppData\Local\Temp\'
ApplicationPath|startswith: 'C:\Program Files (x86)\'
ApplicationPath|startswith: 'C:\Program Files\'
ApplicationPath|startswith: 'C:\Windows\SysWOW64\'
ApplicationPath|startswith: 'C:\Windows\System32\'
ApplicationPath|startswith: 'C:\Windows\WinSxS\'

Stage 3: `not 1 of filter_optional_*`

or:
or:
ApplicationPath|startswith: 'C:\Program Files\Windows Defender\'
ApplicationPath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ApplicationPath|endswith: '\MsMpEng.exe'
ModifyingApplication: ['C:\Windows\System32\dllhost.exe', 'C:\Windows\System32\svchost.exe']
ApplicationPath: ''
or:
ModifyingApplication|startswith: 'C:\Program Files\Windows Defender\'
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Action`	eq	`2` corpus 2 (sigma 2)
`ApplicationPath`	ends_with	`\MsMpEng.exe`
`ApplicationPath`	eq	`System`
`ApplicationPath`	match	`C:\PerfLogs\` `C:\Temp\` `C:\Tmp\` `C:\Users\Public\` `C:\Windows\Tasks\` `C:\Windows\Temp\` `\AppData\Local\Temp\` corpus 2 (sigma 2)
`ApplicationPath`	starts_with	`C:\Program Files (x86)\` `C:\Program Files\` `C:\Program Files\Windows Defender\` `C:\ProgramData\Microsoft\Windows Defender\Platform\` `C:\Windows\SysWOW64\` `C:\Windows\System32\` `C:\Windows\WinSxS\`
`ModifyingApplication`	ends_with	`\MsMpEng.exe` corpus 2 (sigma 2) `\TiWorker.exe`
`ModifyingApplication`	eq	`C:\Windows\System32\dllhost.exe` `C:\Windows\System32\svchost.exe` corpus 2 (sigma 2)
`ModifyingApplication`	starts_with	`C:\Program Files\Windows Defender\` `C:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 2 (sigma 2) `C:\Windows\WinSxS\` corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.