Detectionlowtest
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Christopher Peacock, SCYTHECreated Tue Dec 07Updated Sat Oct 180e4164da-94bc-450d-a7be-a4b176179f1fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'netsh'
- 'show '
- 'firewall '
CommandLine|contains:
- 'config '
- 'state '
- 'rule '
- 'name=all'
condition: all of selection_*False Positives
Administrative activity
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
0e4164da-94bc-450d-a7be-a4b176179f1f
Status
test
Level
low
Type
Detection
Created
Tue Dec 07
Modified
Sat Oct 18
Author
Path
rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml
Raw Tags
attack.discoveryattack.t1016