Rule Info
Name
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Description
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
Date
2024-05-10 00:00:00
Modified
None
Id
eca81e8d-09e1-4d04-8614-c91f44fd0519
Tags
attack.defense-evasion attack.t1562.004
Type
Community Rule
Link to Public Repo