diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index ad1e4499e..99647a350 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -6,16 +6,18 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: 2004 # A rule has been added to the Windows Defender Firewall exception list - filter_block: + EventID: + - 2004 # A rule has been added to the Windows Defender Firewall exception list + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + filter_main_block: Action: 2 - filter_installations: + filter_main_installations: - ApplicationPath|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' @@ -26,8 +28,8 @@ detection: - 'C:\Windows\System32\svchost.exe' - 'C:\Windows\System32\dllhost.exe' - 'C:\Program Files\Windows Defender\MsMpEng.exe' - filter_msmpeng: + filter_optional_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 3b03a2e00..9e879f96d 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -10,26 +10,27 @@ references: - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 date: 2023/02/26 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: - - 2004 # Windows 10 - - 2071 # Windows 10 and 11 + EventID: + - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10) + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) ApplicationPath|contains: - '\AppData\' - - '\temp\' - filter_block: + - '\Temp\' + filter_main_block: Action: 2 - filter_valid_appdata_app: - # Don't hesitate to contribute - ApplicationPath|endswith: - - 'AppData\local\microsoft\teams\current\teams.exe' - - 'AppData\Local\Keybase\keybase.exe' - - 'AppData\Local\Programs\Messenger\Messenger.exe' - condition: selection and not 1 of filter_* + filter_optional_teams: + ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe' + filter_optional_keybase: + ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe' + filter_optional_messenger: + ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Any legitimate application that runs from the AppData user directory level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index dede28059..b88773ccf 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -6,16 +6,18 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: 2005 # A rule has been modified in the Windows Defender Firewall exception list - filter_generic: + EventID: + - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10) + - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11) + filter_main_generic: ModifyingApplication|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index fd09f8d20..e273afad9 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -4,22 +4,25 @@ status: experimental description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer - filter_generic: + EventID: + - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer + - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11) + filter_main_generic: ModifyingApplication|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - filter_svchost: + filter_main_svchost: ModifyingApplication: 'C:\Windows\System32\svchost.exe' - filter_msmpeng: + filter_optional_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 02cf7a12b..85d9a9c47 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -6,21 +6,23 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: 2006 # A rule has been deleted in the Windows Defender Firewall exception list - filter_generic: + EventID: + - 2006 # A rule has been deleted in the Windows Defender Firewall exception list + - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11) + filter_main_generic: ModifyingApplication|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - filter_svchost: + filter_main_svchost: ModifyingApplication: 'C:\Windows\System32\svchost.exe' - filter_msmpeng: + filter_optional_msmpeng: ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' ModifyingApplication|endswith: '\MsMpEng.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml index 3f492f622..6b57a6622 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -6,12 +6,14 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: - EventID: 2032 # Windows Defender Firewall has been reset to its default configuration + EventID: + - 2032 # Windows Defender Firewall has been reset to its default configuration + - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11) condition: selection level: low diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index 81bb75a6a..9bac61aa0 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -4,17 +4,19 @@ status: experimental description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) -author: frack113 +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/02/19 -modified: 2023/01/17 +modified: 2023/04/21 logsource: product: windows service: firewall-as detection: selection: EventID: - - 2002 # A Windows Firewall setting has changed. - - 2003 # A Windows Firewall setting in the profile has changed + - 2002 # A Windows Defender Firewall setting has changed. + - 2083 # A Windows Defender Firewall setting has changed. (Windows 11) + - 2003 # A Windows Firewall setting in the profile has changed + - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11) - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied # - 2010 # Network profile changed on an interface. condition: selection