feat: update fw rules eids

rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml

@@ -6,16 +6,18 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 2004 # A rule has been added to the Windows Defender Firewall exception list
-    filter_block:
+        EventID:
+            - 2004 # A rule has been added to the Windows Defender Firewall exception list
+            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+    filter_main_block:
         Action: 2
-    filter_installations:
+    filter_main_installations:
         - ApplicationPath|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
@@ -26,8 +28,8 @@ detection:
             - 'C:\Windows\System32\svchost.exe'
             - 'C:\Windows\System32\dllhost.exe'
             - 'C:\Program Files\Windows Defender\MsMpEng.exe'
-    filter_msmpeng:
+    filter_optional_msmpeng:
         ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         ModifyingApplication|endswith: '\MsMpEng.exe'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: medium

rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml

@@ -10,26 +10,27 @@ references:
     - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
 author: frack113
 date: 2023/02/26
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 
-            - 2004 # Windows 10
-            - 2071 # Windows 10 and 11
+        EventID:
+            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
+            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
         ApplicationPath|contains:
             - '\AppData\'
-            - '\temp\'
-    filter_block:
+            - '\Temp\'
+    filter_main_block:
         Action: 2
-    filter_valid_appdata_app:
-         # Don't hesitate to contribute
-         ApplicationPath|endswith:
-             - 'AppData\local\microsoft\teams\current\teams.exe'
-             - 'AppData\Local\Keybase\keybase.exe'
-             - 'AppData\Local\Programs\Messenger\Messenger.exe'
-    condition: selection and not 1 of filter_*
+    filter_optional_teams:
+        ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
+    filter_optional_keybase:
+        ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
+    filter_optional_messenger:
+        ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Any legitimate application that runs from the AppData user directory
 level: high

rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml

@@ -6,16 +6,18 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 2005 # A rule has been modified in the Windows Defender Firewall exception list
-    filter_generic:
+        EventID:
+            - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)
+            - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)
+    filter_main_generic:
         ModifyingApplication|startswith:
             - 'C:\Program Files (x86)\'
             - 'C:\Program Files\'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_*
 level: low

rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml

@@ -4,22 +4,25 @@ status: experimental
 description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
-    filter_generic:
+        EventID:
+            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
+            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
+    filter_main_generic:
         ModifyingApplication|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
-    filter_svchost:
+    filter_main_svchost:
         ModifyingApplication: 'C:\Windows\System32\svchost.exe'
-    filter_msmpeng:
+    filter_optional_msmpeng:
         ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         ModifyingApplication|endswith: '\MsMpEng.exe'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: high

rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml

@@ -6,21 +6,23 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 2006 # A rule has been deleted in the Windows Defender Firewall exception list
-    filter_generic:
+        EventID:
+            - 2006 # A rule has been deleted in the Windows Defender Firewall exception list
+            - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
+    filter_main_generic:
         ModifyingApplication|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
-    filter_svchost:
+    filter_main_svchost:
         ModifyingApplication: 'C:\Windows\System32\svchost.exe'
-    filter_msmpeng:
+    filter_optional_msmpeng:
         ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         ModifyingApplication|endswith: '\MsMpEng.exe'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: medium

rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml

@@ -6,12 +6,14 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
-        EventID: 2032 # Windows Defender Firewall has been reset to its default configuration
+        EventID:
+            - 2032 # Windows Defender Firewall has been reset to its default configuration
+            - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
     condition: selection
 level: low

rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml

@@ -4,17 +4,19 @@ status: experimental
 description: Detects activity when the settings of the Windows firewall have been changed
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
-author: frack113
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/02/19
-modified: 2023/01/17
+modified: 2023/04/21
 logsource:
     product: windows
     service: firewall-as
 detection:
     selection:
         EventID:
-            - 2002  # A Windows Firewall setting has changed.
-            - 2003  # A Windows Firewall setting in the profile has changed
+            - 2002 # A Windows Defender Firewall setting has changed.
+            - 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
+            - 2003 # A Windows Firewall setting in the profile has changed
+            - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
             - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied
             # - 2010  # Network profile changed on an interface.
     condition: selection