Skip to content

False-Negative: Netsh Firewall Discovery With Full Command Path #5171

New issue
New issue
Closed
Closed
False-Negative: Netsh Firewall Discovery With Full Command Path#5171
Assignees
nasbench
Labels
Create Pull-Requestissues that should be provided as a pull requestFalse-PositiveIssue reporting a false positive with one of the rules
@BalsamicSentry

Description

@BalsamicSentry
BalsamicSentry
opened on Jan 25, 2025

Rule UUID

0e4164da-94bc-450d-a7be-a4b176179f1f

Example EventLog

EventCode=4688
...
Message=A new process has been created.
...
Creator Subject:
...
Target Subject:
...
Process Information:
New Process ID: 0xBEEF
New Process Name: C:\Windows\System32\netsh.exe
Token Elevation Type: %%1234
Mandatory Label: S-1-16-12288
Creator Process ID: 0xDEAD
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: C:\Windows\System32\netsh.exe advfirewall firewall show rule name=all verbose

Description

I discovered a false negative where suspicious traffic is able to avoid detection. The CLI parameters are too specific and don't allow for ".exe" to be at the end of the string.

Metadata

Metadata

Assignees

Labels

Create Pull-Requestissues that should be provided as a pull requestFalse-PositiveIssue reporting a false positive with one of the rules

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions