All Rules Have Been Deleted From The Windows Firewall Configuration

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Sigma rule (View on GitHub)

 1title: All Rules Have Been Deleted From The Windows Firewall Configuration
 2id: 79609c82-a488-426e-abcf-9f341a39365d
 3status: test
 4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-01-17
 9modified: 2024-01-22
10tags:
11    - attack.defense-evasion
12    - attack.t1562.004
13logsource:
14    product: windows
15    service: firewall-as
16detection:
17    selection:
18        EventID:
19            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
20            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
21    filter_main_svchost:
22        ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
23    filter_optional_msmpeng:
24        ModifyingApplication|contains|all:
25            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
26            - '\MsMpEng.exe'
27    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28level: high

References

Related rules

to-top