Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 79609c82-a488-426e-abcf-9f341a39365d
view Sigma YAML
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
- 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
filter_main_svchost:
ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|contains|all:
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high
high
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
status testauthor Pawel Mazurid 53059bc0-1472-438b-956a-7508a94a91f0
view Sigma YAML
title: Disable System Firewall
id: 53059bc0-1472-438b-956a-7508a94a91f0
status: test
description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
- https://firewalld.org/documentation/man-pages/firewall-cmd.html
author: 'Pawel Mazur'
date: 2022-01-22
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SERVICE_STOP'
unit:
- 'firewalld'
- 'iptables'
- 'ufw'
condition: selection
falsepositives:
- Admin activity
level: high
high
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
status testauthor frack113id 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
view Sigma YAML
title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
- id: cde0a575-7d3d-4a49-9817-b8004a7bf105
type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
status testauthor Sander Wiebingid 01aeb693-138d-49d2-9403-c4f52d7d3d62
view Sigma YAML
title: RDP Connection Allowed Via Netsh.EXE
id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
status: test
description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
references:
- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
author: Sander Wiebing
date: 2020-05-23
modified: 2023-12-11
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
# Example:
# Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
# New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
CommandLine|contains|all:
- 'firewall '
- 'add '
- 'tcp '
- '3389'
CommandLine|contains:
- 'portopening'
- 'allow'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
high
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
status testauthor Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.communityid a35f5a72-f347-4e36-8895-9869b0d5fc6d
view Sigma YAML
title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
status: test
description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
references:
- https://www.virusradar.com/en/Win32_Kasidet.AD/description
- https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2020-05-25
modified: 2023-12-11
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
- CommandLine|contains|all:
- 'firewall'
- 'add'
- 'allowedprogram'
- CommandLine|contains|all:
- 'advfirewall'
- 'firewall'
- 'add'
- 'rule'
- 'action=allow'
- 'program='
selection_paths:
CommandLine|contains:
- ':\$Recycle.bin\'
- ':\RECYCLER.BIN\'
- ':\RECYCLERS.BIN\'
- ':\SystemVolumeInformation\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Desktop\'
- ':\Users\Public\'
- ':\Windows\addins\'
- ':\Windows\cursors\'
- ':\Windows\debug\'
- ':\Windows\drivers\'
- ':\Windows\fonts\'
- ':\Windows\help\'
- ':\Windows\system32\tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\Downloads\'
- '\Local Settings\Temporary Internet Files\'
- '\Temporary Internet Files\Content.Outlook\'
- '%Public%\'
- '%TEMP%'
- '%TMP%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
medium
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
status testauthor frack113id c187c075-bb3e-4c62-b4fa-beae0ffc211f
view Sigma YAML
title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: test
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-08-29
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2006 # A rule has been deleted in the Windows Defender Firewall exception list
- 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
filter_main_generic:
ModifyingApplication|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\WinSxS\'
filter_main_svchost:
ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'
filter_main_null:
ModifyingApplication: null
filter_main_empty:
ModifyingApplication: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium
medium
Azure Firewall Modified or Deleted
Identifies when a firewall is created, modified, or deleted.
status testauthor Austin Songer @austinsongerid 512cf937-ea9b-4332-939c-4c2c94baadcd
view Sigma YAML
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
status: test
description: Identifies when a firewall is created, modified, or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Firewall Rule Collection Modified or Deleted
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
status testauthor Austin Songer @austinsongerid 025c9fe7-db72-49f9-af0d-31341dd7dd57
view Sigma YAML
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
status: test
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Azure Network Firewall Policy Modified or Deleted
Identifies when a Firewall Policy is Modified or Deleted.
status testauthor Austin Songer @austinsongerid 83c17918-746e-4bd9-920b-8e098bf88c23
view Sigma YAML
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
status: test
description: Identifies when a Firewall Policy is Modified or Deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2022-08-23
tags:
- attack.impact
- attack.defense-impairment
- attack.t1686.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
falsepositives:
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
status testauthor Rafal Piaseckiid 70b4156e-50fc-4523-aa50-c9dddf1993fc
view Sigma YAML
title: Bpfdoor TCP Ports Redirect
id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
status: test
description: |
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
author: Rafal Piasecki
date: 2022-08-10
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: auditd
detection:
cmd:
type: 'EXECVE'
a0|endswith: 'iptables'
a1: '-t'
a2: 'nat'
keywords:
- '--to-ports 42'
- '--to-ports 43'
condition: cmd and keywords
falsepositives:
- Legitimate ports redirect
level: medium
medium
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
status testauthor frack113id 974515da-6cc5-4c95-ae65-f97f9150ec7f
view Sigma YAML
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
TargetObject|endswith: '\EnableFirewall'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
- type: atomic-red-team
name: Disable Microsoft Defender Firewall via Registry
technique: T1562.004
atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
medium
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
status testauthor frack113id e78c408a-e2ea-43cd-b5ea-51975cf358c0
view Sigma YAML
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
medium
Disabling Security Tools
Detects disabling security tools
status testauthor Ömer Günal, Alejandro Ortuno, oscd.communityid e3a8a052-111f-4606-9aee-f28ebeb76776
Detects netsh commands that turns off the Windows firewall
status testauthor Fatih Sirinid 57c4bf16-227f-4394-8ec7-1b745ee061c3
view Sigma YAML
title: Firewall Disabled via Netsh.EXE
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
status: test
description: Detects netsh commands that turns off the Windows firewall
references:
- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
author: Fatih Sirin
date: 2019-11-01
modified: 2023-02-13
tags:
- attack.defense-impairment
- attack.t1686.003
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
# Example: netsh firewall set opmode disable
CommandLine|contains|all:
- 'firewall'
- 'set'
- 'opmode'
- 'disable'
selection_cli_2:
# Example: netsh advfirewall set currentprofile state off
CommandLine|contains|all:
- 'advfirewall'
- 'set'
- 'state'
- 'off'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
level: medium
medium
Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
status testauthor frack113id 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
view Sigma YAML
title: Firewall Rule Deleted Via Netsh.EXE
id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
status: test
description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
references:
- https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
author: frack113
date: 2022-08-14
modified: 2025-10-07
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'firewall'
- 'delete '
filter_optional_dropbox:
ParentImage|endswith: '\Dropbox.exe'
CommandLine|contains: 'name=Dropbox'
filter_optional_avast:
ParentImage|endswith: '\instup.exe'
CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activity
- Software installations and removal
level: medium
medium
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid 3be619f4-d9ec-4ea8-a173-18fdd01996ab
view Sigma YAML
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/iptables'
- '/xtables-legacy-multi'
- '/iptables-legacy-multi'
- '/ip6tables'
- '/ip6tables-legacy-multi'
selection_params:
CommandLine|contains:
- '-F'
- '-Z'
- '-X'
selection_ufw:
CommandLine|contains:
- 'ufw-logging-deny'
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
level: medium
medium
Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
Detection rules that match only on the disabling of firewalls will miss this.
status testauthor IAIid 323ff3f5-0013-4847-bbd4-250b5edb62cc
view Sigma YAML
title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
- id: 53059bc0-1472-438b-956a-7508a94a91f0
type: similar
status: test
description: |
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
Detection rules that match only on the disabling of firewalls will miss this.
references:
- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
- https://blog.aquasec.com/container-security-tnt-container-attack
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
author: IAI
date: 2023-03-06
modified: 2025-10-12
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'EXECVE'
a0: 'iptables'
a1|contains: 'DROP'
selection2:
type: 'EXECVE'
a0: 'firewall-cmd'
a1|contains: 'remove'
selection3:
type: 'EXECVE'
a0: 'ufw'
a1|contains: 'delete'
selection4:
type: 'EXECVE'
a0: 'nft'
a1|contains:
- 'delete'
- 'flush'
condition: 1 of selection*
falsepositives:
- Legitimate admin activity
level: medium
medium
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
status testauthor frack113id 347906f3-e207-4d18-ae5b-a9403d6bcdef
view Sigma YAML
title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'advfirewall'
- 'firewall'
- 'set'
- 'rule'
- 'group='
- 'new'
- 'enable=Yes'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
medium
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id eca81e8d-09e1-4d04-8614-c91f44fd0519
view Sigma YAML
title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
id: eca81e8d-09e1-4d04-8614-c91f44fd0519
status: test
description: |
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
- https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
- https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
Action: 3 # Allow
ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
condition: selection
falsepositives:
- Administrator scripts or activity.
level: medium
medium
New Firewall Rule Added Via Netsh.EXE
Detects the addition of a new rule to the Windows firewall via netsh
status testauthor Markus Neis, Sander Wiebingid cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
view Sigma YAML
title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
- attack.defense-impairment
- attack.t1686.003
- attack.s0246
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' firewall '
- ' add '
filter_optional_dropbox:
CommandLine|contains:
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activity
- Software installations
level: medium
medium
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
status testauthor jamesc-grafanaid c803b2ce-c4a2-4836-beae-b112010390b1
view Sigma YAML
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
Detects the addition of a new network route to a route table in AWS.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1686.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateRoute'
condition: selection
falsepositives:
- New VPC Creation requiring setup of a new route table
- New subnets added requiring routing setup
level: medium
medium
Ufw Force Stop Using Ufw-Init
Detects attempts to force stop the ufw using ufw-init
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid 84c9e83c-599a-458a-a0cb-0ecce44e807a
view Sigma YAML
title: Ufw Force Stop Using Ufw-Init
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: Detects attempts to force stop the ufw using ufw-init
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_init:
CommandLine|contains|all:
- '-ufw-init'
- 'force-stop'
selection_ufw:
CommandLine|contains|all:
- 'ufw'
- 'disable'
condition: 1 of selection_*
falsepositives:
- Network administrators
level: medium
medium
Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
status testauthor frack113id cde0a575-7d3d-4a49-9817-b8004a7bf105
view Sigma YAML
title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
id: cde0a575-7d3d-4a49-9817-b8004a7bf105
status: test
description: Detects when a rule has been added to the Windows Firewall exception list
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2025-10-08
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
filter_main_block:
Action: 2 # Block
filter_main_generic:
ApplicationPath|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_main_covered_paths:
# This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
ApplicationPath|contains:
- 'C:\PerfLogs\'
- 'C:\Temp\'
- 'C:\Tmp\'
- 'C:\Users\Public\'
- 'C:\Windows\Tasks\'
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_system_dllhost:
ApplicationPath: 'System'
ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
filter_main_tiworker:
ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
ModifyingApplication|endswith: '\TiWorker.exe'
filter_main_null:
ApplicationPath: null
filter_optional_no_path:
# This filter filters a lot of FPs related to Windows Services
ModifyingApplication:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\dllhost.exe'
ApplicationPath: ''
filter_optional_msmpeng:
- ModifyingApplication|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ModifyingApplication|endswith: '\MsMpEng.exe'
- ApplicationPath|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ApplicationPath|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium
medium
Windows Firewall Profile Disabled
Detects when a user disables the Windows Firewall via a Profile to help evade defense.
status testauthor Austin Songer @austinsongerid 488b44e7-3781-4a71-888d-c95abfacf44d
view Sigma YAML
title: Windows Firewall Profile Disabled
id: 488b44e7-3781-4a71-888d-c95abfacf44d
related:
- id: 12f6b752-042d-483e-bf9c-915a6d06ad75
type: similar
status: test
description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
references:
- https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-30
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_args:
ScriptBlockText|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
ScriptBlockText|contains:
- ' -All '
- 'Public'
- 'Domain'
- 'Private'
condition: all of selection*
falsepositives:
- Unknown
level: medium
low
New Network ACL Entry Added
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
status testauthor jamesc-grafanaid e1f7febb-7b94-4234-b5c6-00fb8500f5dd
view Sigma YAML
title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1686.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateNetworkAclEntry'
condition: selection
falsepositives:
- Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low
low
The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy
status testauthor frack113id 7ec15688-fd24-4177-ba43-1a950537ee39
view Sigma YAML
title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: test
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-01-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
condition: selection
level: low
low
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
status testauthor frack113id 04b60639-39c0-412a-9fbe-e82499c881a3
view Sigma YAML
title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
condition: selection
level: low
low
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 00bb5bd5-1379-4fcf-a965-a5b6f7478064
view Sigma YAML
title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2002 # A Windows Defender Firewall setting has changed.
- 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- 2003 # A Windows Firewall setting in the profile has changed
- 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selection
level: low