Detection rules › Sigma
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.004 Impair Defenses: Disable or Modify System Firewall |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Firewall-With-Advanced-Security | 2004 | |
| Windows-Firewall-With-Advanced-Security | 2071 | |
| Windows-Firewall-With-Advanced-Security | 2097 |
Stages and Predicates
Stage 1: selection
or:
ApplicationPath|contains: ':\PerfLogs\'
ApplicationPath|contains: ':\Temp\'
ApplicationPath|contains: ':\Tmp\'
ApplicationPath|contains: ':\Users\Public\'
ApplicationPath|contains: ':\Windows\Tasks\'
ApplicationPath|contains: ':\Windows\Temp\'
ApplicationPath|contains: '\AppData\Local\Temp\'
Stage 2: not 1 of filter_main_block
Action: 2
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Action | eq |
|
ApplicationPath | match |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Uncommon New Firewall Rule Added In Windows Firewall Exception List (drops 1 filter this rule applies)
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.