New Firewall Rule Added Via Netsh.EXE

title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
    - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
    - attack.defense-evasion
    - attack.t1562.004
    - attack.s0246
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' firewall '
            - ' add '
    filter_optional_dropbox:
        CommandLine|contains:
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activity
    - Software installations
level: medium