Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Fri May 10eca81e8d-09e1-4d04-8614-c91f44fd0519windows
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
        Action: 3 # Allow
        ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
    condition: selection
False Positives

Administrator scripts or activity.

References
1
Resolving title…
github.com
2
Resolving title…
malware.news
3
Resolving title…
cybersecuritynews.com
MITRE ATT&CK
Rule Metadata
Rule ID
eca81e8d-09e1-4d04-8614-c91f44fd0519
Status
test
Level
medium
Type
Detection
Created
Fri May 10
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml
Raw Tags
attack.defense-evasionattack.t1562.004
View on GitHub