From db137c48556707e5a77cfb0893b6bd3737395b84 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Aug 2022 19:16:58 +0200 Subject: [PATCH 1/3] Add proc_creation_win_netsh_fw_delete --- .../proc_creation_win_netsh_fw_delete.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml new file mode 100644 index 000000000..147befbbd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -0,0 +1,24 @@ +title: Netsh Port or Application Delete +id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 +status: experimental +description: Detect removing Port or Application on Windows Firewall +author: frack113 +references: + - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ +date: 2022/08/14 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'delete' + condition: selection +falsepositives: + - Legitimate administration +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 From bd3502148f5de25e3a386555ba39bdbd78c93ede Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Aug 2022 20:22:25 +0200 Subject: [PATCH 2/3] Filter dropbax --- .../process_creation/proc_creation_win_netsh_fw_delete.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml index 147befbbd..30367c3d2 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -15,7 +15,10 @@ detection: CommandLine|contains|all: - 'firewall' - 'delete' - condition: selection + filter_dropbox: + ParentImage|endswith: '\Dropbox.exe' + CommandLine|contains: 'name=Dropbox' + condition: selection and not filter_dropbox falsepositives: - Legitimate administration level: medium From 643f77aafff553b70defe3647fb1fae55761675a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 15 Aug 2022 11:38:50 +0200 Subject: [PATCH 3/3] Update proc_creation_win_netsh_fw_delete.yml --- .../process_creation/proc_creation_win_netsh_fw_delete.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml index 30367c3d2..745649667 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -1,7 +1,7 @@ -title: Netsh Port or Application Delete +title: Netsh Firewall Rule Deletion id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 status: experimental -description: Detect removing Port or Application on Windows Firewall +description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh author: frack113 references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/