Merge pull request #795 from SanWieb/Rule-improvement-Netsh-program-allowed

Rule improvement: netsh Application or Port allowed

rules/windows/process_creation/win_netsh_fw_add.yml

@@ -1,4 +1,4 @@
-title: Netsh
+title: Netsh Port or Application Allowed
 id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
 description: Allow Incoming Connections by Port or Application on Windows Firewall
 references:
@@ -10,15 +10,18 @@ tags:
     - attack.command_and_control
     - attack.t1090 
 status: experimental
-author: Markus Neis
+author: Markus Neis, Sander Wiebing
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         CommandLine:
-            - '*netsh firewall add*'
-    condition: selection
+            - '*netsh*'
+    selection2:
+        CommandLine:
+            - '*firewall add*'
+    condition: selection1 and selection2
 falsepositives:
     - Legitimate administration
 level: medium

rules/windows/process_creation/win_netsh_fw_add_susp_image.yml

@@ -0,0 +1,54 @@
+title: Netsh Program Allowed with Suspcious Location
+id: a35f5a72-f347-4e36-8895-9869b0d5fc6d 
+description: Detects Netsh commands that allows a suspcious application location on Windows Firewall
+references:
+    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
+    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
+date: 2020/05/25
+tags:
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.t1090 
+status: experimental
+author: Sander Wiebing
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all:
+            - 'netsh'
+            - 'firewall add allowedprogram'
+    selection2:
+        CommandLine|contains|all:
+            - netsh
+            - advfirewall firewall add rule
+            - action=allow
+            - program=
+    susp_image:
+        CommandLine|contains:
+            - '*%TEMP%*'
+            - '*:\RECYCLER\\*'
+            - '*C:\$Recycle.bin\\*'
+            - '*:\SystemVolumeInformation\\*'
+            - 'C:\\Windows\\Tasks\\*'
+            - 'C:\\Windows\\debug\\*'
+            - 'C:\\Windows\\fonts\\*'
+            - 'C:\\Windows\\help\\*'
+            - 'C:\\Windows\\drivers\\*'
+            - 'C:\\Windows\\addins\\*'
+            - 'C:\\Windows\\cursors\\*'
+            - 'C:\\Windows\\system32\tasks\\*'
+            - '*C:\Windows\Temp\\*'
+            - '*C:\Temp\\*'
+            - '*C:\Users\Public\\*'
+            - '%Public%\\*'
+            - '*C:\Users\Default\\*'
+            - '*C:\Users\Desktop\\*'
+            - '*\Downloads\\*'
+            - '*\Temporary Internet Files\Content.Outlook\\*'
+            - '*\Local Settings\Temporary Internet Files\\*'
+    condition: (selection1 or selection2) and susp_image
+falsepositives:
+    - Legitimate administration
+level: high