Rules: Windows Firewall Rule Added

Description

Observes for creation of new Windows Firewall Rule. An attacker may create new firewall rules to obfuscate activities via blocks, or to allow certain activity through the firewall.

Additional Details

Detail	Value
Type	Templated Match
Category	Defense Evasion
Apply Risk to Entities	device_hostname, user_username
Signal Name	Windows Firewall Rule Added
Summary Expression	Windows Firewall rule created on host: {{device_hostname}}
Score/Severity	Static: 1
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0005, _mitreAttackTechnique:T1562, _mitreAttackTechnique:T1562.001, _mitreAttackTechnique:T1562.004

Vendors and Products

Microsoft - Windows Firewall Management
Microsoft - Windows

Fields Used

Origin	Field
Normalized Schema	device_hostname
Normalized Schema	metadata_deviceEventId
Normalized Schema	user_username

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MATCH-S00538.md

MATCH-S00538.md

Rules: Windows Firewall Rule Added

Description

Additional Details

Vendors and Products

Fields Used

Files

MATCH-S00538.md

Latest commit

History

MATCH-S00538.md

File metadata and controls

Rules: Windows Firewall Rule Added

Description

Additional Details

Vendors and Products

Fields Used