โ
Case #485
service.windows_process_creation/proc_creation_win_netsh_fw_add_rule
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Firewall Rule Added Via Netsh.EXE
low
Rule: service.windows_process_creation/proc_creation_win_netsh_fw_add_rule
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
C:\WINDOWS\SysWOW64\\netsh.exe advfirewall firewall add rule name=Quickbooks__34 dir=in program="C:\Program Files\Intuit\QuickBooks Enterprise Solutions 24.0\CefSharp.BrowserSubprocess.exe" action=allow protocol=UDP localport=5353 profile=public,private,domain
FILE_IS_SIGNED:
1
FILE_PATH:
C:\WINDOWS\SysWOW64\netsh.exe
HASH:
8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd
PARENT:
{'BASE_ADDRESS': 140696016846848, 'COMMAND_LINE': 'C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Windows\\System32\\MsiExec.exe', 'HASH': '677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e', 'MEMORY_USAGE': 14663680, 'PARENT_ATOM': 'ffb361e9a65ea31762c7273669c2a670', 'PARENT_PROCESS_ID': 38156, 'PROCESS_ID': 31932, 'THIS_ATOM': '0e2be6b24c56dfa0613f286f69c2a672', 'THREADS': 8, 'TIMESTAMP': 1774364274142, 'USER_NAME': 'DESKTOP-ATSEPSK\\Joy Howell'}
PARENT_PROCESS_ID:
31932
PROCESS_ID:
42252
IOCs:
C:\WINDOWS\SysWOW64\netsh.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 24.0\CefSharp.BrowserSubprocess.exe
8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd
MITRE:
T1562.004
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "New Firewall Rule Added Via Netsh.EXE",
"detect": {
"event": {
"COMMAND_LINE": "C:\\WINDOWS\\SysWOW64\\\\netsh.exe advfirewall firewall add rule name=Quickbooks__34 dir=in program=\"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0\\CefSharp.BrowserSubprocess.exe\" action=allow protocol=UDP localport=5353 profile=public,private,domain",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\SysWOW64\\netsh.exe",
"HASH": "8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd",
"PARENT": {
"BASE_ADDRESS": 140696016846848,
"COMMAND_LINE": "C:\\Windows\\System32\\MsiExec.exe -Embedding 054754E7437F0B6CCA61DB49F7C7425C",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\MsiExec.exe",
"HASH": "677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e",
"MEMORY_USAGE": 14663680,
"PARENT_ATOM": "ffb361e9a65ea31762c7273669c2a670",
"PARENT_PROCESS_ID": 38156,
"PROCESS_ID": 31932,
"THIS_ATOM": "0e2be6b24c56dfa0613f286f69c2a672",
"THREADS": 8,
"TIMESTAMP": 1774364274142,
"USER_NAME": "DESKTOP-ATSEPSK\\Joy Howell"
},
"PARENT_PROCESS_ID": 31932,
"PROCESS_ID": 42252
},
"routing": {
"arch": 2,
"did": "",
"event_id": "eb16bef6-45e0-4d05-bb6e-fc68e41a9338",
"event_time": 1774364679216,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1141,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "9f4e5cfad9e1f0395ffe20b669c2a807"
}
},
"detect_id": "6e45cee1-3ceb-411f-8092-1daa69c2a808",
"detect_mtd": {
"author": "Markus Neis, Sander Wiebing",
"description": "Detects the addition of a new rule to the Windows firewall via netsh",
"falsepositives": [
"Legitimate administration activity",
"Software installations"
],
"level": "medium",
"references": [
"https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf"
],
"tags": [
"attack.defense-evasion",
"attack.t1562.004",
"attack.s0246"
]
},
"gen_time": 1774364680360,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364679\u0026selected=9f4e5cfad9e1f0395ffe20b669c2a807",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "eb16bef6-45e0-4d05-bb6e-fc68e41a9338",
"event_time": 1774364679216,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1141,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "9f4e5cfad9e1f0395ffe20b669c2a807"
},
"rule_tags": [
"ext:ext-sigma",
"attack.defense-evasion",
"attack.t1562.004",
"attack.s0246"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_netsh_fw_add_rule",
"ts": 1774364680000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Legitimate software installation (QuickBooks)",
"investigation_questions": [
"Does the host inventory show a recent installation or update for QuickBooks Enterprise Solutions 24.0?"
],
"ioc_analysis": "netsh.exe is a signed Microsoft binary (hash 8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd) running from the standard SysWOW64 directory. The parent process is MsiExec.exe, also a signed system binary, indicating an installation context. The targeted program path is a legitimate QuickBooks subdirectory.",
"iocs_extracted": [
"C:\\WINDOWS\\SysWOW64\\netsh.exe",
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 24.0\\CefSharp.BrowserSubprocess.exe",
"8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd"
],
"mitre_techniques": [
"T1562.004"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Whitelist this specific netsh command pattern when spawned by MsiExec.exe for QuickBooks installations.",
"Close this alert as a false positive."
],
"risk_score": 12,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThis detection is a false positive triggered by a legitimate firewall rule modification during the installation of QuickBooks Enterprise Solutions 24.0. The command was executed by the Windows Installer (MsiExec.exe) and configures inbound access for a known QuickBooks component on the standard mDNS port (5353).\n\n**IOC Analysis:** netsh.exe is a signed Microsoft binary (hash 8dad37c581651012be601cd12860b39aacbda44ecc7ef116669507c1061e73dd) running from the standard SysWOW64 directory. The parent process is MsiExec.exe, also a signed system binary, indicating an installation context. The targeted program path is a legitimate QuickBooks subdirectory.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis event represents a legitimate Windows Firewall rule modification initiated by the Microsoft-signed netsh.exe binary located in its expected SysWOW64 directory. The process is being invoked by MSIExec.exe to configure firewall rules for QuickBooks Enterprise Solutions, which is a common administrative task.\n\n**IOC Analysis:** The file path C:\\WINDOWS\\SysWOW64\\netsh.exe matches the known-good location for 32-bit Windows system binaries. The hash corresponds to the legitimate Microsoft-signed netsh.exe binary. The parent process (MsiExec.exe) is a standard Windows Installer executable, and the command line shows a firewall rule being added for a known application (QuickBooks Enterprise Solutions).\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection involves netsh.exe adding a firewall rule for a legitimate QuickBooks component. Given that netsh.exe is a known Windows system binary and the parent process is MsiExec.exe (likely installing QuickBooks), this is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH C:\\WINDOWS\\SysWOW64\\netsh.exe is a known Windows system binary located in its expected directory and is signed, making it benign. The command line specifies adding a rule for CefSharp.BrowserSubprocess.exe, which is part of legitimate QuickBooks software. The parent process MsiExec.exe is also a legitimate Microsoft-signed installer, supporting the benign nature.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 100% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-24T15:33
๐ค FusionSOC AI
2026-03-24T15:33
๐ค FusionSOC AI
2026-03-24T15:33
๐ค FusionSOC AI
2026-03-24T15:33
๐ Timeline
2026-03-24T16:05:07
analyst
Status changed: investigating โ closed
2026-03-24T16:05:00
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:33:12
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:33:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:33:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive. **Sensor:** `8f3a47be-5629-4c...` **Time W...
2026-03-24T15:33:12
FusionSOC
Response action queued: recommended on Close this alert as a false positive.
2026-03-24T15:33:12
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:33:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:33:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Whitelist this specific netsh command pattern when spawned by MsiExec.exe for Qu...
2026-03-24T15:33:12
FusionSOC
Response action queued: recommended on Whitelist this specific netsh command pattern when spawned by MsiExec.exe for QuickBooks installations.
2026-03-24T15:33:12
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:33:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:33:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T15:33:12
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T15:33:12
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T15:33:12
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T15:33:11
FusionSOC AI
Detection 6e45cee1-3ceb-411f-8092-1daa69c2a808 triaged as false_positive (low severity, confidence: 95%)
2026-03-24T15:33:11
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_netsh_fw_add_rule