heroui logo

Netsh Allow Group Policy on Microsoft Defender Firewall

Sigma Rules

View Source
Summary
This detection rule identifies potential abuse of the Netsh utility to modify Group Policy settings in the Microsoft Defender Firewall. Adversaries may utilize this tool to execute commands that allow or enable specific rules on the firewall, potentially circumventing restrictions and gaining unauthorized network access. The rule monitors process creation events for the execution of 'netsh.exe' with command line arguments indicative of enabling firewall rules, specifically targeted towards SMB and RDP services, which are commonly abused for lateral movement and remote access. A legitimate instance would typically be regular administrative actions that require modification of firewall settings, hence false positives may arise from these events.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1562.004
Created: 2022-01-09