New Windows Firewall Rule Added via New-NetFirewallRule Cmdlet

Date: 03/05/2025

Severity: Medium

Summary

Monitors the execution of the "New-NetFirewallRule" cmdlet in PowerShell to create a new firewall rule with an "Allow" action.

Image

'\powershell.exe'

'\pwsh.exe'

'\powershell_ise.exe'

OriginalFileName

'PowerShell.EXE'

'pwsh.dll'

CommandLine

'New-NetFirewallRule '

' -Action '

'allow'

Detection Query 1	(resourcename in ("Windows Security") AND eventtype = "4688" AND ((newprocessname IN ("\powershell.exe","\pwsh.exe","\powershell_ise.exe") OR processname IN ("powershell.exe","pwsh.exe","powershell_ise.exe")) AND originalfilename IN ("PowerShell.EXE","pwsh.dll")) AND (commandline like "New-NetFirewallRule" AND commandline like " -Action" AND commandline like "allow"))
Detection Query 2	(technologygroup = "EDR" AND ((newprocessname IN ("\powershell.exe","\pwsh.exe","\powershell_ise.exe") OR processname IN ("powershell.exe","pwsh.exe","powershell_ise.exe")) AND originalfilename IN ("PowerShell.EXE","pwsh.dll")) AND (commandline like "New-NetFirewallRule" AND commandline like " -Action" AND commandline like "allow"))
Detection Query 3	(resourcename in ("Sysmon") AND eventtype = "1" AND (image IN ("\powershell.exe","\pwsh.exe","\powershell_ise.exe") AND originalfilename IN ("PowerShell.EXE","pwsh.dll")) AND (commandline like "New-NetFirewallRule" AND commandline like " -Action" AND commandline like "allow"))
Detection Query 4	(technologygroup = "EDR" AND (newprocessname IN ("\powershell.exe","\pwsh.exe","\powershell_ise.exe") AND processname IN ("PowerShell.EXE","pwsh.dll")) AND (commandline like "New-NetFirewallRule" AND commandline like " -Action" AND commandline like "allow"))

Reference: