Merge PR SigmaHQ#4843 from @frack113 - Add New-NetFirewallRule usag…

…e related rules new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths --------- Co-authored-by: nasbench <[email protected]>
FilipPwn · May 10, 2024 · 392e3a3 · 392e3a3
1 parent 7cdcb76
commit 392e3a3
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 4 deletions.
diff --git a/...threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/...threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml
@@ -0,0 +1,29 @@
+title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
+id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
+related:
+    - id: 51483085-0cba-46a8-837e-4416496d6971
+      type: similar
+status: experimental
+description: |
+    Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113
+date: 2024/05/10
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains: 'New-NetFirewallRule*-Action*Allow'
+    condition: selection
+falsepositives:
+    - Administrator script
+level: low
diff --git a/...nting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml b/...nting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml
@@ -0,0 +1,35 @@
+title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
+id: 51483085-0cba-46a8-837e-4416496d6971
+related:
+    - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
+      type: similar
+status: experimental
+description: |
+    Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113
+date: 2024/05/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_name:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\powershell_ise.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+    selection_args:
+        CommandLine|contains|all:
+            - 'New-NetFirewallRule '
+            - ' -Action '
+            - 'allow'
+    condition: all of selection_*
+falsepositives:
+    - Administrator script
+level: low
diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml
@@ -6,7 +6,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/09/09
+modified: 2024/05/10
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -18,8 +18,9 @@ detection:
         EventID:
             - 2004 # A rule has been added to the Windows Defender Firewall exception list
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
     filter_main_block:
-        Action: 2
+        Action: 2 # Block
     filter_main_generic:
         ApplicationPath|contains:
             - ':\Program Files (x86)\'
@@ -36,6 +37,7 @@ detection:
         ApplicationPath|contains:
             - ':\PerfLogs\'
             - ':\Temp\'
+            - ':\Tmp\'
             - ':\Users\Public\'
             - ':\Windows\Tasks\'
             - ':\Windows\Temp\'

diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml
@@ -10,7 +10,7 @@ references:
     - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
 author: frack113
 date: 2023/02/26
-modified: 2024/01/22
+modified: 2024/05/10
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -22,15 +22,17 @@ detection:
         EventID:
             - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
         ApplicationPath|contains:
             - ':\PerfLogs\'
             - ':\Temp\'
+            - ':\Tmp\'
             - ':\Users\Public\'
             - ':\Windows\Tasks\'
             - ':\Windows\Temp\'
             - '\AppData\Local\Temp\'
     filter_main_block:
-        Action: 2
+        Action: 2 # Block
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml
@@ -0,0 +1,30 @@
+title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
+id: eca81e8d-09e1-4d04-8614-c91f44fd0519
+status: experimental
+description: |
+    Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
+    This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
+    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
+    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2024/05/10
+tags:
+    - attack.defense_evasion
+    - attack.t1562.004
+logsource:
+    product: windows
+    service: firewall-as
+detection:
+    selection:
+        EventID:
+            - 2004 # A rule has been added to the Windows Defender Firewall exception list
+            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
+            - 2097
+        Action: 3 # Allow
+        ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
+    condition: selection
+falsepositives:
+    - Administrator scripts or activity.
+level: medium