Threat Huntlowtest
Firewall Rule Modified In The Windows Firewall Exception List
Detects when a rule has been modified in the Windows firewall exception list
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic6 selectors
detection:
selection:
EventID:
- 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)
- 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)
filter_optional_teams:
ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
filter_optional_keybase:
ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
filter_optional_messenger:
ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
filter_optional_opera:
ApplicationPath|contains|all:
- ':\Users\'
- '\AppData\Local\Programs\Opera\'
- '\opera.exe'
filter_optional_brave:
ApplicationPath|contains|all:
- ':\Users\'
- '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe'
condition: selection and not 1 of filter_optional_*References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
5570c4d9-8fdd-4622-965b-403a5a101aa0
Status
test
Level
low
Type
Threat Hunt
Created
Sat Feb 19
Modified
Mon Jan 22
Author
Path
rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml
Raw Tags
attack.defense-evasionattack.t1562.004detection.threat-hunting