All Rules Have Been Deleted From The Windows Firewall Configuration

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Sigma rule (View on GitHub)

 1title: All Rules Have Been Deleted From The Windows Firewall Configuration
 2id: 79609c82-a488-426e-abcf-9f341a39365d
 3status: experimental
 4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 5references:
 6    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 7author: frack113, Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/01/17
 9modified: 2023/04/21
10logsource:
11    product: windows
12    service: firewall-as
13detection:
14    selection:
15        EventID:
16            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
17            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
18    filter_main_generic:
19        ModifyingApplication|startswith:
20            - 'C:\Program Files\'
21            - 'C:\Program Files (x86)\'
22    filter_main_svchost:
23        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
24    filter_optional_msmpeng:
25        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
26        ModifyingApplication|endswith: '\MsMpEng.exe'
27    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28level: high
to-top