Windows Firewall Global Outbound Block Via Netsh.EXE

Rule Info

Name
Windows Firewall Global Outbound Block Via Netsh.EXE
Author
X_Junior
Description
Detects use of netsh advfirewall to add firewall rules that block all remote IP addresses (0.0.0.0-255.255.255.255), a technique commonly used for defense evasion to isolate a system or suppress network-based security controls.
Reference
https://www.huntress.com/blog/esxi-vm-escape-exploit
Date
2026-01-12 00:00:00
Modified
None
Id
57d9657d-fed2-4ba8-924c-264330088436
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022