Skip to content

Tamper firewall by Registry#5172

Open
frack113 wants to merge 7 commits intoSigmaHQ:masterfrom
frack113:FirewallPolicy-Registry
Open

Tamper firewall by Registry#5172
frack113 wants to merge 7 commits intoSigmaHQ:masterfrom
frack113:FirewallPolicy-Registry

Conversation

@frack113
Copy link
Member

@frack113 frack113 commented Jan 26, 2025

Summary of the Pull Request

From the Sandbox , play the reg command
image

Changelog

new: Add Exceptions to Microsoft Defender Firewall via Registry
new: Enable Exceptions Microsoft Defender Firewall via Registry

Example Log Event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AuroraAgent" /> 
  <EventID Qualifiers="0">99</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2025-01-26T18:16:33.9078461Z" /> 
  <EventRecordID>368</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3540" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>Win11.lab.local</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Sigma rule match found: Add Exceptions to Microsoft Defender Firewall via Registry (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Add Exceptions to Microsoft Defender Firewall via Registry</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: Adversaries may add system execptions to system firewalls security</Data> 
  <Data>Rule_FalsePositives: Unknown</Data> 
  <Data>Rule_Id: 6648f900-4a7d-47e3-bad6-952b313a1c0e</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2025-01-26</Data> 
  <Data>Rule_Path: sigma-rules\myrule2.yml</Data> 
  <Data>Rule_References: https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Details: C:\Users\admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger</Data> 
  <Data>EventID: 13</Data> 
  <Data>EventType: SetValue</Data> 
  <Data>Execution_ProcessID: 3572</Data> 
  <Data>Execution_ThreadID: 4148</Data> 
  <Data>Image: C:\WINDOWS\system32\reg.exe</Data> 
  <Data>Keywords: 0x8000000000000000</Data> 
  <Data>Level: 4</Data> 
  <Data>Match_Strings: \System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List in TargetObject</Data> 
  <Data>Opcode: 0</Data> 
  <Data>ProcessGuid: {095b1fc8-7c01-6796-5b01-000000000400}</Data> 
  <Data>ProcessId: 5008</Data> 
  <Data>Provider_Guid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Data> 
  <Data>Provider_Name: Microsoft-Windows-Sysmon</Data> 
  <Data>RuleName: -</Data> 
  <Data>Security_UserID: S-1-5-18</Data> 
  <Data>TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\admin\AppData\Roaming\Java\uninstall.exe</Data> 
  <Data>Task: 13</Data> 
  <Data>TimeCreated_SystemTime: 2025-01-26T19:16:33.7513971+01:00</Data> 
  <Data>User: LAB\admin</Data> 
  <Data>UtcTime: 2025-01-26 18:16:33.749</Data> 
  <Data>Version: 2</Data> 
  <Data>Winversion: 26100</Data> 
  </EventData>
  </Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AuroraAgent" /> 
  <EventID Qualifiers="0">99</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2025-01-26T18:12:23.1834234Z" /> 
  <EventRecordID>366</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3540" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>Win11.lab.local</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Sigma rule match found: Enable Exceptions Microsoft Defender Firewall via Registry (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Enable Exceptions Microsoft Defender Firewall via Registry</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: Adversaries may disable system firewalls security in order to add execptions</Data> 
  <Data>Rule_FalsePositives: Unknown</Data> 
  <Data>Rule_Id: 974515da-6cc5-4c95-ae65-f97f9150ec7f</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2025-01-26</Data> 
  <Data>Rule_Path: sigma-rules\myrule.yml</Data> 
  <Data>Rule_References: https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Details: DWORD (0x00000000)</Data> 
  <Data>EventID: 13</Data> 
  <Data>EventType: SetValue</Data> 
  <Data>Execution_ProcessID: 3572</Data> 
  <Data>Execution_ThreadID: 4148</Data> 
  <Data>Image: C:\WINDOWS\system32\reg.exe</Data> 
  <Data>Keywords: 0x8000000000000000</Data> 
  <Data>Level: 4</Data> 
  <Data>Match_Strings: 'DWORD (0x00000000)' in Details, System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions in TargetObject</Data> 
  <Data>Opcode: 0</Data> 
  <Data>ProcessGuid: {095b1fc8-7b06-6796-4a01-000000000400}</Data> 
  <Data>ProcessId: 6964</Data> 
  <Data>Provider_Guid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Data> 
  <Data>Provider_Name: Microsoft-Windows-Sysmon</Data> 
  <Data>RuleName: -</Data> 
  <Data>Security_UserID: S-1-5-18</Data> 
  <Data>TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions</Data> 
  <Data>Task: 13</Data> 
  <Data>TimeCreated_SystemTime: 2025-01-26T19:12:22.299387+01:00</Data> 
  <Data>User: LAB\admin</Data> 
  <Data>UtcTime: 2025-01-26 18:12:22.298</Data> 
  <Data>Version: 2</Data> 
  <Data>Winversion: 26100</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jan 26, 2025
@nasbench nasbench added this to the Sigma-December-Release milestone Oct 29, 2025
@nasbench nasbench self-assigned this Oct 29, 2025
@nasbench nasbench self-requested a review October 29, 2025 12:56
@phantinuss phantinuss force-pushed the FirewallPolicy-Registry branch from 74afaf3 to 55b26b1 Compare November 21, 2025 10:56
phantinuss
phantinuss approved these changes Nov 21, 2025
View reviewed changes
@nasbench
Copy link
Member

nasbench commented Nov 23, 2025

In Review

@phantinuss phantinuss added the Review Needed The PR requires review label Nov 26, 2025
@nasbench
Copy link
Member

nasbench commented Nov 27, 2025

Pushing for next release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench Awaiting requested review from nasbench

At least 2 approving reviews are required to merge this pull request.

Assignees

@nasbench nasbench

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-February-Release

Development

Successfully merging this pull request may close these issues.

3 participants

@frack113 @nasbench @phantinuss