Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\netsh.exe" OR ORIGINALFILENAME = "netsh.exe") AND ((COMMANDLINE contains "firewall" AND COMMANDLINE contains "add" AND COMMANDLINE contains "allowedprogram") OR (COMMANDLINE contains "advfirewall" AND COMMANDLINE contains "firewall" AND COMMANDLINE contains "add" AND COMMANDLINE contains "rule" AND COMMANDLINE contains "action=allow" AND COMMANDLINE contains "program=")) AND COMMANDLINE contains ":\$Recycle.bin\,:\RECYCLER.BIN\,:\RECYCLERS.BIN\,:\SystemVolumeInformation\,:\Temp\,:\Users\Default\,:\Users\Desktop\,:\Users\Public\,:\Windows\addins\,:\Windows\cursors\,:\Windows\debug\,:\Windows\drivers\,:\Windows\fonts\,:\Windows\help\,:\Windows\system32\tasks\,:\Windows\Tasks\,:\Windows\Temp\,\Downloads\,\Local Settings\Temporary Internet Files\,\Temporary Internet Files\Content.Outlook\,%Public%\,%TEMP%,%TMP%" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
