Detectionhightest
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
9e2575e7-2cb9-4da1-adc8-ed94221dca5e
Status
test
Level
high
Type
Detection
Created
Sun Feb 26
Modified
Fri May 10
Author
Path
rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml
Raw Tags
attack.defense-evasionattack.t1562.004