Skip to content

Hide Navigation Hide TOC

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE (eca81e8d-09e1-4d04-8614-c91f44fd0519)

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE (eca81e8d-09e1-4d04-8614-c91f44fd0519) Sigma-Rules 1
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 2