title: Netsh Port or Application Allowed
author: Markus Neis, Sander Wiebing
date: 2019/01/29
description: Allow Incoming Connections by Port or Application on Windows Firewall
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\netsh.exe'
  SELECTION_3:
    CommandLine: '*firewall*'
  SELECTION_4:
    CommandLine: '*add*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administration
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2020/09/01
references:
- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.004
ruletype: SIGMA