Threat Huntlowtest
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic2 selectors
detection:
selection_payload:
Payload|contains:
- 'Get-NetFirewallRule'
- 'Show-NetFirewallRule'
selection_contextinfo:
ContextInfo|contains:
- 'Get-NetFirewallRule'
- 'Show-NetFirewallRule'
condition: 1 of selection_*False Positives
Administration scripts
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
ea207a23-b441-4a17-9f76-ad5be47d51d3
Status
test
Level
low
Type
Threat Hunt
Created
Thu Jul 13
Author
Path
rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml
Raw Tags
detection.threat-huntingattack.discoveryattack.t1518.001attack.t1016