Sigma rules for CVE-2022-43516
10 rules · scoped to cve · back to CVE-2022-43516
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
- id: cde0a575-7d3d-4a49-9817-b8004a7bf105
type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
- 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
filter_main_svchost:
ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|contains|all:
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high
title: Windows Firewall Profile Disabled
id: 488b44e7-3781-4a71-888d-c95abfacf44d
related:
- id: 12f6b752-042d-483e-bf9c-915a6d06ad75
type: similar
status: test
description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
references:
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-30
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_args:
ScriptBlockText|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
ScriptBlockText|contains:
- ' -All '
- 'Public'
- 'Domain'
- 'Private'
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mmc.exe'
ParentCommandLine|contains: 'WF.msc'
filter:
Image|endswith: '\WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
title: Windows Firewall Disabled via PowerShell
id: 12f6b752-042d-483e-bf9c-915a6d06ad75
related:
- id: 488b44e7-3781-4a71-888d-c95abfacf44d
type: similar
status: test
description: Detects attempts to disable the Windows Firewall using PowerShell
references:
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-14
modified: 2023-02-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_args:
CommandLine|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
CommandLine|contains:
- ' -All '
- 'Public'
- 'Domain'
- 'Private'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
id: cde0a575-7d3d-4a49-9817-b8004a7bf105
status: test
description: Detects when a rule has been added to the Windows Firewall exception list
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2025-10-08
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
filter_main_block:
Action: 2 # Block
filter_main_generic:
ApplicationPath|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_main_covered_paths:
# This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
ApplicationPath|contains:
- 'C:\PerfLogs\'
- 'C:\Temp\'
- 'C:\Tmp\'
- 'C:\Users\Public\'
- 'C:\Windows\Tasks\'
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_system_dllhost:
ApplicationPath: 'System'
ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
filter_main_tiworker:
ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
ModifyingApplication|endswith: '\TiWorker.exe'
filter_main_null:
ApplicationPath: null
filter_optional_no_path:
# This filter filters a lot of FPs related to Windows Services
ModifyingApplication:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\dllhost.exe'
ApplicationPath: ''
filter_optional_msmpeng:
- ModifyingApplication|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ModifyingApplication|endswith: '\MsMpEng.exe'
- ApplicationPath|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ApplicationPath|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium
title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
id: eca81e8d-09e1-4d04-8614-c91f44fd0519
status: test
description: |
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
Action: 3 # Allow
ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
condition: selection
falsepositives:
- Administrator scripts or activity.
level: medium
title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: test
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-08-29
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2006 # A rule has been deleted in the Windows Defender Firewall exception list
- 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
filter_main_generic:
ModifyingApplication|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\WinSxS\'
filter_main_svchost:
ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'
filter_main_null:
ModifyingApplication: null
filter_main_empty:
ModifyingApplication: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2002 # A Windows Defender Firewall setting has changed.
- 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- 2003 # A Windows Firewall setting in the profile has changed
- 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selection
level: low