Tamper firewall by Registry

Author: frack113

rules/windows/registry/registry_set/registry_set_defender_firewall_add_execption.yml

@@ -0,0 +1,23 @@
+title: Add Exceptions to Microsoft Defender Firewall via Registry
+id: 6648f900-4a7d-47e3-bad6-952b313a1c0e
+status: experimental
+description: Adversaries may add system execptions to  system firewalls security
+references:
+    - https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior
+    - https://app.any.run/tasks/8d4113a8-5403-4367-a79f-4ce4978d9bdb
+author: frack113
+date: 2025-01-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.004
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List'
+        Details|contains: ':Enabled:'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/registry/registry_set/registry_set_defender_firewall_tamper_donotallowexceptions.yml

@@ -0,0 +1,23 @@
+title: Enable Exceptions Microsoft Defender Firewall via Registry
+id: c69fc6a2-607d-4530-b7d1-75823af1bde4
+status: experimental
+description: Adversaries may disable system firewalls security in order to add execptions
+references:
+    - https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior
+    - https://app.any.run/tasks/8d4113a8-5403-4367-a79f-4ce4978d9bdb
+author: frack113
+date: 2025-01-26
+tags:
+    - attack.defense-evasion
+    - attack.t1562.004
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith: 'System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions'
+        Details: 'DWORD (0x00000000)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium