All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Sigma rule (View on GitHub)
1title: All Rules Have Been Deleted From The Windows Firewall Configuration
2id: 79609c82-a488-426e-abcf-9f341a39365d
3status: experimental
4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
5references:
6 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2023/01/17
9modified: 2023/04/21
10tags:
11 - attack.defense_evasion
12 - attack.t1562.004
13logsource:
14 product: windows
15 service: firewall-as
16detection:
17 selection:
18 EventID:
19 - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
20 - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
21 filter_main_generic:
22 ModifyingApplication|startswith:
23 - 'C:\Program Files\'
24 - 'C:\Program Files (x86)\'
25 filter_main_svchost:
26 ModifyingApplication: 'C:\Windows\System32\svchost.exe'
27 filter_optional_msmpeng:
28 ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
29 ModifyingApplication|endswith: '\MsMpEng.exe'
30 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
31level: high
References
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- Firewall Rule Modified In The Windows Firewall Exception List
- New Firewall Exception Rule Added For A Suspicious Folder
- Windows Defender Firewall Has Been Reset To Its Default Configuration
- Windows Firewall Settings Have Been Changed