title: Allow Executable Through Defender Firewall
author: keyboardcrunch
description: Detect allowance of executables through Defender Firewall.
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
operating_system: windows
query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
false_positives: null
tags: null