diff --git a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml new file mode 100644 index 00000000..a0893a36 --- /dev/null +++ b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: access firewall policy via INetFwPolicy2 + namespace: host-interaction/firewall/modify + authors: + - jakub.jozwiak@mandiant.com + scopes: + static: function + dynamic: thread + att&ck: + - Discovery::Software Discovery::Security Software Discovery [T1518.001] + references: + - https://learn.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwpolicy2 + examples: + - a210a5daaf487fe6c8bbaf906abce749042f15890d60b09c6cb333e54958663b:0x180002D60 + features: + - and: + - api: ole32.CoCreateInstance + - bytes: 7f c9 b3 e2 e1 6a ac 41 81 7a f6 f9 21 66 d7 dd = CLSID_FwPolicy2 + - bytes: 47 50 32 98 71 c6 74 41 8d 81 de fc d3 f0 31 86 = IID_INetFwPolicy2 diff --git a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml new file mode 100644 index 00000000..42427cc9 --- /dev/null +++ b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: access firewall rule properties via INetFwRule + namespace: host-interaction/firewall/modify + authors: + - jakub.jozwiak@mandiant.com + scopes: + static: function + dynamic: thread + att&ck: + - Discovery::Software Discovery::Security Software Discovery [T1518.001] + references: + - https://learn.microsoft.com/en-us/windows/win32/api/netfw/nn-netfw-inetfwrule + examples: + - a210a5daaf487fe6c8bbaf906abce749042f15890d60b09c6cb333e54958663b:0x180002D60 + features: + - and: + - api: ole32.CoCreateInstance + - bytes: 3e c4 5b 2c 69 33 33 4c ab 0c be 94 69 67 7a f4 = CLSID_FwRule + - bytes: 27 0d 23 af ba ba 42 4e ac ed f5 24 f2 2c fc e2 = IID_INetFwRule