From 123d6f73dc45c7319dd9e5bf73930aa81269806d Mon Sep 17 00:00:00 2001
From: JJ <jakubjozwiak@google.com>
Date: Mon, 16 Sep 2024 20:43:28 +0800
Subject: [PATCH] Add delete-network-filter-via-wfp-api.yml and
 enumerate-network-filters-via-wfp-api.yml (#930)

* Add host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml and host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
---
 .../delete-network-filter-via-wfp-api.yml     | 22 +++++++++++++++++++
 .../enumerate-network-filters-via-wfp-api.yml | 18 +++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
 create mode 100644 host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml

diff --git a/host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml b/host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
new file mode 100644
index 00000000..8ce86137
--- /dev/null
+++ b/host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: delete network filter via WFP API
+    namespace: host-interaction/network/traffic/filter
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002]
+      - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterdeletebyid0
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterdeletebykey0
+      - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c
+    examples:
+      - d9531e53036c5d04fbe7d1aeae2988c3bf0fdec63774690c5df70cc121af8de4:0x10001DF0
+  features:
+    - or:
+      - api: fwpkclnt.FwpmFilterDeleteById0
+      - api: fwpkclnt.FwpmFilterDeleteByKey0
diff --git a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
new file mode 100644
index 00000000..97af7ed5
--- /dev/null
+++ b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: enumerate network filters via WFP API
+    namespace: host-interaction/network/traffic/filter
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scopes:
+      static: function
+      dynamic: thread
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0
+      - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c
+    examples:
+      - d9531e53036c5d04fbe7d1aeae2988c3bf0fdec63774690c5df70cc121af8de4:0x10001DF0
+  features:
+    - and:
+      - api: fwpkclnt.FwpmFilterCreateEnumHandle0
+      - api: fwpkclnt.FwpmFilterEnum0