Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Defense Evasion
Version: 2 (version history)
Added (Elastic Stack release): 7.14.0
Last modified (Elastic Stack release): 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
Host Windows Firewall planned system administration changes.
process where event.type == "start" and process.name : "netsh.exe" and process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes"
Framework: MITRE ATT&CKTM
- Version 2 (7.16.0 release)
- Formatting only