Detectionmediumtest

Uncommon New Firewall Rule Added In Windows Firewall Exception List

Detects when a rule has been added to the Windows Firewall exception list

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Feb 19Updated Wed Oct 08cde0a575-7d3d-4a49-9817-b8004a7bf105windows
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic9 selectors
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
    filter_main_block:
        Action: 2 # Block
    filter_main_generic:
        ApplicationPath|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_main_covered_paths:
        # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
        ApplicationPath|contains:
            - 'C:\PerfLogs\'
            - 'C:\Temp\'
            - 'C:\Tmp\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Tasks\'
            - 'C:\Windows\Temp\'
            - '\AppData\Local\Temp\'
    filter_main_system_dllhost:
        ApplicationPath: 'System'
        ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
    filter_main_tiworker:
        ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
        ModifyingApplication|endswith: '\TiWorker.exe'
    filter_main_null:
        ApplicationPath: null
    filter_optional_no_path:
        # This filter filters a lot of FPs related to Windows Services
        ModifyingApplication:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\dllhost.exe'
        ApplicationPath: ''
    filter_optional_msmpeng:
        - ModifyingApplication|startswith:
              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
              - 'C:\Program Files\Windows Defender\'
          ModifyingApplication|endswith: '\MsMpEng.exe'
        - ApplicationPath|startswith:
              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
              - 'C:\Program Files\Windows Defender\'
          ApplicationPath|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Rule Metadata
Rule ID
cde0a575-7d3d-4a49-9817-b8004a7bf105
Status
test
Level
medium
Type
Detection
Created
Sat Feb 19
Modified
Wed Oct 08
Path
rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml
Raw Tags
attack.defense-evasionattack.t1562.004
View on GitHub