Windows Firewall Modification with Suspicious Process Path

This detection focuses on identifying suspicious modifications to the Windows system firewall that involve allowing applications to execute from notable and potentially malicious file paths. The activity is detected through Endpoint Detection and Response (EDR) agents, specifically by monitoring command-line executions related to firewall rule changes. This behavior is significant because it suggests an adversary is attempting to bypass firewall restrictions to enable the execution of malicious files. The observed file paths include common locations for temporary files, fonts, and other locations where malware may attempt to hide. If successful, this can lead to unauthorized code execution, system compromise, data exfiltration, or establishing persistence within the compromised environment. The original Splunk detection was published on 2026-05-05, but this brief represents the general threat.

Attack Chain

1. The attacker gains initial access to the system through an undisclosed method.
2. The attacker navigates to or drops a malicious executable in a suspicious directory such as \windows\fonts\, \windows\temp\, \users\public\.
3. The attacker uses the netsh command to modify the Windows Firewall configuration, adding a rule to allow the malicious executable to bypass firewall restrictions. The command includes parameters like firewall, allow, add, and ENABLE.
4. The firewall rule is configured to allow the malicious executable to communicate over the network, effectively bypassing any existing restrictions.
5. The malicious executable is launched, taking advantage of the newly created firewall rule to establish outbound connections.
6. The malware establishes command and control (C2) communication with an external server, potentially for further instructions or data exfiltration.
7. The attacker executes malicious commands on the compromised system, potentially leading to lateral movement, data theft, or system disruption.

Impact

Successful exploitation of this technique can lead to complete system compromise, allowing attackers to execute arbitrary code, steal sensitive data, and establish a persistent presence. Depending on the malware used, the impact can range from data theft to ransomware deployment, potentially affecting the entire organization. Specific examples include scenarios where attackers install remote access trojans (RATs) like NjRAT, or ransomware such as Medusa.

Recommendation

• Deploy the Sigma rule Detect Firewall Modification From Suspicious Path to your SIEM and tune it to your environment to detect unauthorized firewall modifications from suspicious paths.
• Enable Sysmon Event ID 1 (Process Creation) and Windows Event Log Security 4688 to collect the necessary data for the provided Sigma rule.
• Investigate any alerts generated by the Sigma rule Detect Firewall Modification With Netsh for suspicious netsh commands modifying the firewall.
• Monitor endpoint logs for processes executing from suspicious directories (\windows\fonts\, \windows\temp\, \users\public\, etc.) to identify potential malware activity.
• Implement application control policies to restrict the execution of unauthorized applications from suspicious directories.