title: Allow Executable Through Defender Firewall
author: keyboardcrunch
description: Detect allowance of executables within Users or Temp folders through Defender Firewall.
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
operating_system: windows
query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
false_positives: 
tags: 
references: