mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
17 lines
540 B
YAML
17 lines
540 B
YAML
title: Allow Executable Through Defender Firewall
|
|
author: keyboardcrunch
|
|
description: Detect allowance of executables within Users or Temp folders through Defender Firewall.
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1562
|
|
subtechnique: 002
|
|
operating_system: windows
|
|
query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
|
|
ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
|
|
false_positives:
|
|
tags:
|
|
references:
|
|
|