← Back to Explore
sigmahighHunting
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
Detection Query
selection:
EventID:
- 2004
- 2071
- 2097
ApplicationPath|contains:
- :\PerfLogs\
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
filter_main_block:
Action: 2
condition: selection and not 1 of filter_main_*
Author
frack113
Created
2023-02-26
Data Sources
windowsfirewall-as
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.004
Raw Content
title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
- id: cde0a575-7d3d-4a49-9817-b8004a7bf105
type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
- attack.defense-evasion
- attack.t1562.004
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high