← Back to Explore
sigmamediumHunting
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
Detection Query
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
selection_cli:
CommandLine|contains|all:
- advfirewall
- firewall
- set
- rule
- group=
- new
- enable=Yes
condition: all of selection_*
Author
frack113
Created
2022-01-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
Tags
attack.defense-evasionattack.t1562.004
Raw Content
title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'advfirewall'
- 'firewall'
- 'set'
- 'rule'
- 'group='
- 'new'
- 'enable=Yes'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium