New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List

Rule Info

Name
New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the addition of a new "Block" firewall rule targeting critical services and application paths and binaries. An attacker can leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule" to add block rules targeting security services and applications in order to stop communication between them and their management console.
Reference
https://bhabeshraj.com/post/detect-addition-of-new-firewall-rules-in-defender-firewall/
Date
2024-07-09 00:00:00
Modified
None
Id
062c0a82-ef00-4a65-9c81-1d5a9856222c
Tags
attack.defense-evasion attack.t1562.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022