From 2678cd1d3e104bd916262f8a242c28006704a457 Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Mon, 25 May 2020 09:50:47 +0200
Subject: [PATCH 1/3] Create win_netsh_fw_add_susp_image.yml

More critical version of the rule windows/process_creation/win_netsh_fw_add.yml with the suspicious image location check.

Combined the following rules for the suspicious locations:
https://github.com/Neo23x0/sigma//blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_run_locations.yml
---
 .../win_netsh_fw_add_susp_image.yml           | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 rules/windows/process_creation/win_netsh_fw_add_susp_image.yml

diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
new file mode 100644
index 000000000..bc54696cb
--- /dev/null
+++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
@@ -0,0 +1,54 @@
+title: Netsh Program Allowed with Suspcious Location
+id: a35f5a72-f347-4e36-8895-9869b0d5fc6d 
+description: Detects Netsh commands that allows a suspcious application location on Windows Firewall
+references:
+    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
+    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
+date: 2020/05/25
+tags:
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.t1090 
+status: experimental
+author: Sander Wiebing
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains|all:
+            - 'netsh'
+            - 'firewall add allowedprogram'
+    selection2:
+        CommandLine|contains|all:
+            - netsh
+            - advfirewall firewall add rule
+            - action=allow
+            - program=
+    susp_image:
+        CommandLine|contains:
+            - '*%TEMP%*'
+            - '*:\RECYCLER\\*'
+            - '*C:\$Recycle.bin\\*'
+            - '*:\SystemVolumeInformation\\*'
+            - 'C:\\Windows\\Tasks\\*'
+            - 'C:\\Windows\\debug\\*'
+            - 'C:\\Windows\\fonts\\*'
+            - 'C:\\Windows\\help\\*'
+            - 'C:\\Windows\\drivers\\*'
+            - 'C:\\Windows\\addins\\*'
+            - 'C:\\Windows\\cursors\\*'
+            - 'C:\\Windows\\system32\tasks\\*'
+            - '*C:\Windows\Temp\\*'
+            - '*C:\Temp\\*'
+            - '*C:\Users\Public\\*'
+            - '%Public%\\*'
+            - '*C:\Users\Default\\*'
+            - '*C:\Users\Desktop\\*'
+            - '*\Downloads\\*'
+            - '*\Temporary Internet Files\Content.Outlook\\*'
+            - '*\Local Settings\Temporary Internet Files\\*'
+    condition: (selection1 or selection2) and susp_image
+falsepositives:
+    - Legitimate administration
+level: high

From 28652e4648fca1cbc48149163c001f209275c7dd Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Mon, 25 May 2020 10:02:13 +0200
Subject: [PATCH 2/3] Add Windows Server 2008 and Windows Vista support

It did not support the command `netsh advfirewall firewall add`
---
 rules/windows/process_creation/win_netsh_fw_add.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index 7657dd25f..1184ebc34 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -1,4 +1,4 @@
-title: Netsh
+title: Netsh Port or Application Allowed
 id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
 description: Allow Incoming Connections by Port or Application on Windows Firewall
 references:
@@ -10,14 +10,17 @@ tags:
     - attack.command_and_control
     - attack.t1090 
 status: experimental
-author: Markus Neis
+author: Markus Neis, Sander Wiebing
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
         CommandLine:
-            - '*netsh firewall add*'
+            - '*netsh*'
+        CommandLine:
+            - '*firewall add*'
+            - '*advfirewall firewall add*'
     condition: selection
 falsepositives:
     - Legitimate administration

From 6fcf3f9ebf3ae66ee9bb7853f823dfe11f62d2c1 Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Mon, 25 May 2020 10:13:26 +0200
Subject: [PATCH 3/3] Update win_netsh_fw_add.yml

---
 rules/windows/process_creation/win_netsh_fw_add.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index 1184ebc34..59c3361fc 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -15,13 +15,13 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         CommandLine:
             - '*netsh*'
+    selection2:
         CommandLine:
             - '*firewall add*'
-            - '*advfirewall firewall add*'
-    condition: selection
+    condition: selection1 and selection2
 falsepositives:
     - Legitimate administration
 level: medium