Tamper firewall by Registry

[frack113]

Summary of the Pull Request

From the Sandbox , play the reg command

Changelog

new: Add Exceptions to Microsoft Defender Firewall via Registry new: Enable Exceptions Microsoft Defender Firewall via Registry

Example Log Event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AuroraAgent" /> 
  <EventID Qualifiers="0">99</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2025-01-26T18:16:33.9078461Z" /> 
  <EventRecordID>368</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3540" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>Win11.lab.local</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Sigma rule match found: Add Exceptions to Microsoft Defender Firewall via Registry (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Add Exceptions to Microsoft Defender Firewall via Registry</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: Adversaries may add system execptions to system firewalls security</Data> 
  <Data>Rule_FalsePositives: Unknown</Data> 
  <Data>Rule_Id: 6648f900-4a7d-47e3-bad6-952b313a1c0e</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2025-01-26</Data> 
  <Data>Rule_Path: sigma-rules\myrule2.yml</Data> 
  <Data>Rule_References: https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Details: C:\Users\admin\AppData\Roaming\Java\uninstall.exe:*:Enabled:Windows Messanger</Data> 
  <Data>EventID: 13</Data> 
  <Data>EventType: SetValue</Data> 
  <Data>Execution_ProcessID: 3572</Data> 
  <Data>Execution_ThreadID: 4148</Data> 
  <Data>Image: C:\WINDOWS\system32\reg.exe</Data> 
  <Data>Keywords: 0x8000000000000000</Data> 
  <Data>Level: 4</Data> 
  <Data>Match_Strings: \System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List in TargetObject</Data> 
  <Data>Opcode: 0</Data> 
  <Data>ProcessGuid: {095b1fc8-7c01-6796-5b01-000000000400}</Data> 
  <Data>ProcessId: 5008</Data> 
  <Data>Provider_Guid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Data> 
  <Data>Provider_Name: Microsoft-Windows-Sysmon</Data> 
  <Data>RuleName: -</Data> 
  <Data>Security_UserID: S-1-5-18</Data> 
  <Data>TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\admin\AppData\Roaming\Java\uninstall.exe</Data> 
  <Data>Task: 13</Data> 
  <Data>TimeCreated_SystemTime: 2025-01-26T19:16:33.7513971+01:00</Data> 
  <Data>User: LAB\admin</Data> 
  <Data>UtcTime: 2025-01-26 18:16:33.749</Data> 
  <Data>Version: 2</Data> 
  <Data>Winversion: 26100</Data> 
  </EventData>
  </Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AuroraAgent" /> 
  <EventID Qualifiers="0">99</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2025-01-26T18:12:23.1834234Z" /> 
  <EventRecordID>366</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3540" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>Win11.lab.local</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Sigma rule match found: Enable Exceptions Microsoft Defender Firewall via Registry (see Details tab for more information)</Data> 
  <Data>Module: Sigma</Data> 
  <Data>Rule_Title: Enable Exceptions Microsoft Defender Firewall via Registry</Data> 
  <Data>Rule_Author: frack113</Data> 
  <Data>Rule_Description: Adversaries may disable system firewalls security in order to add execptions</Data> 
  <Data>Rule_FalsePositives: Unknown</Data> 
  <Data>Rule_Id: 974515da-6cc5-4c95-ae65-f97f9150ec7f</Data> 
  <Data>Rule_Level: medium</Data> 
  <Data>Rule_Modified: 2025-01-26</Data> 
  <Data>Rule_Path: sigma-rules\myrule.yml</Data> 
  <Data>Rule_References: https://www.virustotal.com/gui/file/da209017000b9812e8bc5f4e8db6499430ee2aadc72ef896964cffdfd896f143/behavior</Data> 
  <Data>Rule_Sigtype: custom</Data> 
  <Data>Computer: Win11</Data> 
  <Data>Correlation_ActivityID: {00000000-0000-0000-0000-000000000000}</Data> 
  <Data>Details: DWORD (0x00000000)</Data> 
  <Data>EventID: 13</Data> 
  <Data>EventType: SetValue</Data> 
  <Data>Execution_ProcessID: 3572</Data> 
  <Data>Execution_ThreadID: 4148</Data> 
  <Data>Image: C:\WINDOWS\system32\reg.exe</Data> 
  <Data>Keywords: 0x8000000000000000</Data> 
  <Data>Level: 4</Data> 
  <Data>Match_Strings: 'DWORD (0x00000000)' in Details, System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions in TargetObject</Data> 
  <Data>Opcode: 0</Data> 
  <Data>ProcessGuid: {095b1fc8-7b06-6796-4a01-000000000400}</Data> 
  <Data>ProcessId: 6964</Data> 
  <Data>Provider_Guid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}</Data> 
  <Data>Provider_Name: Microsoft-Windows-Sysmon</Data> 
  <Data>RuleName: -</Data> 
  <Data>Security_UserID: S-1-5-18</Data> 
  <Data>TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions</Data> 
  <Data>Task: 13</Data> 
  <Data>TimeCreated_SystemTime: 2025-01-26T19:12:22.299387+01:00</Data> 
  <Data>User: LAB\admin</Data> 
  <Data>UtcTime: 2025-01-26 18:12:22.298</Data> 
  <Data>Version: 2</Data> 
  <Data>Winversion: 26100</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[nasbench]

In Review

[nasbench]

Pushing for next release