Detection rules › Splunk
Windows Firewall Rule Creation (Windows Event Log)
Windows has several utility used to interact with networking components on local or remote systems. This use case looks for firewall rules added with netsh or New-NetFirewallRule
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.004 Impair Defenses: Disable or Modify System Firewall |
References
- https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf
- https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)?redirectedfrom=MSDN
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '8328.10396'
title: Windows Firewall Rule Creation
description: 'Windows has several utility used to interact with networking components
on local or remote systems. This use case looks for firewall rules added with netsh
or New-NetFirewallRule. -- Threat Actor Association: APT29/Nobelium/Cozy Bear, APT35/Phosphorus/Magic
Hound, BlackCat, Magnat, TA428, Volt Typhoon -- Software Association: BianLian,
BlackByte, Black Basta, Insekt, Lockbit, Trigona -- Atomics T1021.001 Test #3 Atomics
T1021.001 Test #4 Atomics T1562.004 Test#4'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) ((TERM(netsh) OR "netsh.exe") TERM(add) TERM(rule))
OR "New-NetFirewallRule" | table _time, host, user, signature_id, process, process_*,
parent_process_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:impair defenses:disable or modify system firewall
technique_id:
- T1562.004
data_category:
- Windows event logs
- Process command-line parameters
references:
- https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf
- https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)?redirectedfrom=MSDN
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) ((TERM(netsh) OR "netsh.exe") TERM(add) TERM(rule)) OR "New-NetFirewallRule"
Stage 2: table
| table _time, host, user, signature_id, process, process_*, parent_process_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | TERM |
| 1 | netsh |
| 1 | "netsh.exe" |
| 1 | TERM |
| 1 | add |
| 1 | TERM |
| 1 | rule |
| 1 | "New-NetFirewallRule" |