Skip to content

Hide Navigation Hide TOC

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE (eca81e8d-09e1-4d04-8614-c91f44fd0519)

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Cluster A Galaxy A Cluster B Galaxy B Level
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE (eca81e8d-09e1-4d04-8614-c91f44fd0519) Sigma-Rules Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2