Add delete-network-filter-via-wfp-api.yml and enumerate-network-filte…

…rs-via-wfp-api.yml (#930) * Add host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml and host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
mandiant · Sep 16, 2024 · 123d6f7 · 123d6f7
1 parent ece75e3
commit 123d6f7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml b/host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: delete network filter via WFP API
+    namespace: host-interaction/network/traffic/filter
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002]
+      - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterdeletebyid0
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterdeletebykey0
+      - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c
+    examples:
+      - d9531e53036c5d04fbe7d1aeae2988c3bf0fdec63774690c5df70cc121af8de4:0x10001DF0
+  features:
+    - or:
+      - api: fwpkclnt.FwpmFilterDeleteById0
+      - api: fwpkclnt.FwpmFilterDeleteByKey0
diff --git a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: enumerate network filters via WFP API
+    namespace: host-interaction/network/traffic/filter
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0
+      - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c
+    examples:
+      - d9531e53036c5d04fbe7d1aeae2988c3bf0fdec63774690c5df70cc121af8de4:0x10001DF0
+  features:
+    - and:
+      - api: fwpkclnt.FwpmFilterCreateEnumHandle0
+      - api: fwpkclnt.FwpmFilterEnum0