host-interaction/firewall/modify

access firewall settings via INetFwMgr

rule:
  meta:
    name: access firewall settings via INetFwMgr
    namespace: host-interaction/firewall/modify
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires bytes features
    att&ck:
      - Discovery::Software Discovery::Security Software Discovery [T1518.001]
      - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004]
    examples:
      - EB355BD63BDDCE02955792B4CD6539FB:0x10003927
  features:
    - and:
      - api: ole32.CoCreateInstance
      - bytes: 42 E9 4C 30 39 6E D8 40 94 3A B9 13 C4 0C 9C D4 = CLSID_NetFwMgr
      - bytes: F5 8A 89 F7 C4 CA 32 46 A2 EC DA 06 E5 11 1A F2 = IID_INetFwMgr

last edited: 2023-11-24 10:34:28