Rule Info
Name
New Blocking Firewall Rule For Critical Service/Application Added In Windows Firewall Exception List - Reg
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the addition of a new "Block" firewall rule targeting critical services and application paths and binaries.
An attacker can leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule" to add block rules targeting security services and applications in order to stop communication between them and their management console.
Date
2024-07-09 00:00:00
Modified
None
Id
3a6bf22f-f6de-4bb9-999f-f223a0830b83
Tags
attack.defense-evasion attack.t1112
Type
Nextron Sigma feed only (private)