Open kevross33 opened 8 years ago
Hi,
No it didn't when I was analysing the sample (sorry because it never fired I didn't realise there was one there already that I could have looked to add this into).
I have a dridex payload which issues the following and is detected with the bypass_firewall sig:
netsh advfirewall firewall add rule name="Core Networking - Multicast Listener Done (ICMPv4-In)" program="C:\Windows\Explorer.EXE" dir=in action=allow protocol=TCP localport=any
I'm thinking the difference is the profile=any or perhaps that it's not binding it to a process name.
Seen for example in sample MD5 3251e5ebe7c0e61aac2d2f74b3423e12
"C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=in action=allow enable=yes profile=any "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Core Networking - System IP Core" dir=out action=allow enable=yes profile=any