From 38276d96b8ed00b3aab02474cac018cfe8e897b9 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Mon, 11 Apr 2022 13:06:15 -0400
Subject: [PATCH] Update proc_creation_win_susp_netsh_command.yml

Update to catch other procedures for Firewall Enumerations like run cmd.exe /c netsh firewall show state & netsh firewall show config.
---
 .../proc_creation_win_susp_netsh_command.yml      | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml b/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml
index c2e8f7426..4101f92d6 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml
@@ -4,21 +4,28 @@ status: experimental
 description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
-author: frack113
+author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2021/12/07
+modified: 2022/05/11
 logsource:
     category: process_creation
     product: windows
 detection:
-    network_cmd:
+    network_cmd1:
         CommandLine|contains|all:
             - 'netsh '
+            - 'show '
+    network_cmd2:
+        CommandLine|contains:
             - 'advfirewall '
             - 'firewall '
-            - 'show '
+    network_cmd3:
+          CommandLine|contains:
+            - 'config '
+            - 'state '
             - 'rule '
             - 'name=all'
-    condition: network_cmd
+    condition: network_cmd1 and network_cmd2 and network_cmd3
 falsepositives:
     - Administrator, hotline ask to user
 level: low