sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

False-Negative: Netsh Firewall Discovery With Full Command Path

Open BalsamicSentry opened this issue 11 months ago • 1 comments

Rule UUID

0e4164da-94bc-450d-a7be-a4b176179f1f

Example EventLog

EventCode=4688 ... Message=A new process has been created. ... Creator Subject: ... Target Subject: ... Process Information: New Process ID: 0xBEEF New Process Name: C:\Windows\System32\netsh.exe Token Elevation Type: %%1234 Mandatory Label: S-1-16-12288 Creator Process ID: 0xDEAD Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: C:\Windows\System32\netsh.exe advfirewall firewall show rule name=all verbose

Description

I discovered a false negative where suspicious traffic is able to avoid detection. The CLI parameters are too specific and don't allow for ".exe" to be at the end of the string.

BalsamicSentry avatar Jan 25 '25 20:01 BalsamicSentry

Thanks for reporting. This is indeed an issue with the rule and we'll get it fixed soon.

nasbench avatar Feb 03 '25 21:02 nasbench

Closing as this issue has been addressed.

swachchhanda000 avatar Oct 18 '25 01:10 swachchhanda000