New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Rule Info

Name
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Description
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
Reference
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
Date
2024-05-10 00:00:00
Modified
None
Id
eca81e8d-09e1-4d04-8614-c91f44fd0519
Tags
attack.defense_evasion attack.t1562.004 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=eca81e8d-09e1-4d04-8614-c91f44fd0519

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4843 from @frack113 - Add `New-NetFirewallRule` usage related rules
2024-05-10
392e3a39c
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022