All Rules Have Been Deleted From The Windows Firewall Configuration

 1title: All Rules Have Been Deleted From The Windows Firewall Configuration
 2id: 79609c82-a488-426e-abcf-9f341a39365d
 3status: experimental
 4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 5references:
 6    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/01/17
 9modified: 2023/04/21
10tags:
11    - attack.defense_evasion
12    - attack.t1562.004
13logsource:
14    product: windows
15    service: firewall-as
16detection:
17    selection:
18        EventID:
19            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
20            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
21    filter_main_generic:
22        ModifyingApplication|startswith:
23            - 'C:\Program Files\'
24            - 'C:\Program Files (x86)\'
25    filter_main_svchost:
26        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
27    filter_optional_msmpeng:
28        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
29        ModifyingApplication|endswith: '\MsMpEng.exe'
30    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
31level: high