EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

MITRE ATT&CK

T1562.004
defense-evasion

Detection Query

selection_img:
  - Image|endswith: \netsh.exe
  - OriginalFileName: netsh.exe
selection_cli:
  - CommandLine|contains|all:
      - firewall
      - add
      - allowedprogram
  - CommandLine|contains|all:
      - advfirewall
      - firewall
      - add
      - rule
      - action=allow
      - program=
selection_paths:
  CommandLine|contains:
    - :\$Recycle.bin\
    - :\RECYCLER.BIN\
    - :\RECYCLERS.BIN\
    - :\SystemVolumeInformation\
    - :\Temp\
    - :\Users\Default\
    - :\Users\Desktop\
    - :\Users\Public\
    - :\Windows\addins\
    - :\Windows\cursors\
    - :\Windows\debug\
    - :\Windows\drivers\
    - :\Windows\fonts\
    - :\Windows\help\
    - :\Windows\system32\tasks\
    - :\Windows\Tasks\
    - :\Windows\Temp\
    - \Downloads\
    - \Local Settings\Temporary Internet Files\
    - \Temporary Internet Files\Content.Outlook\
    - "%Public%\\"
    - "%TEMP%"
    - "%TMP%"
condition: all of selection_*

Author

Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Created

2020-05-25

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1562.004
Raw Content
title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
status: test
description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
references:
    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2020-05-25
modified: 2023-12-11
tags:
    - attack.defense-evasion
    - attack.t1562.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        - CommandLine|contains|all:
              - 'firewall'
              - 'add'
              - 'allowedprogram'
        - CommandLine|contains|all:
              - 'advfirewall'
              - 'firewall'
              - 'add'
              - 'rule'
              - 'action=allow'
              - 'program='
    selection_paths:
        CommandLine|contains:
            - ':\$Recycle.bin\'
            - ':\RECYCLER.BIN\'
            - ':\RECYCLERS.BIN\'
            - ':\SystemVolumeInformation\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Desktop\'
            - ':\Users\Public\'
            - ':\Windows\addins\'
            - ':\Windows\cursors\'
            - ':\Windows\debug\'
            - ':\Windows\drivers\'
            - ':\Windows\fonts\'
            - ':\Windows\help\'
            - ':\Windows\system32\tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\Downloads\'
            - '\Local Settings\Temporary Internet Files\'
            - '\Temporary Internet Files\Content.Outlook\'
            - '%Public%\'
            - '%TEMP%'
            - '%TMP%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high