All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Sigma rule (View on GitHub)
1title: All Rules Have Been Deleted From The Windows Firewall Configuration
2id: 79609c82-a488-426e-abcf-9f341a39365d
3status: experimental
4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
5references:
6 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2023/01/17
9modified: 2024/01/22
10tags:
11 - attack.defense_evasion
12 - attack.t1562.004
13logsource:
14 product: windows
15 service: firewall-as
16detection:
17 selection:
18 EventID:
19 - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
20 - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
21 filter_main_svchost:
22 ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
23 filter_optional_msmpeng:
24 ModifyingApplication|contains|all:
25 - ':\ProgramData\Microsoft\Windows Defender\Platform\'
26 - '\MsMpEng.exe'
27 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28level: high
References
-
2002 Microsoft-Windows-Windows Firewall with Advanced Security A Windows Firewall setting has changed. New Setting: %tType:%t%1 %tValue:%t%4 %tModifying User:%t%6 %tModifying Application:%t%7 2003 ...
Read More
Related rules
- A Rule Has Been Deleted From The Windows Firewall Exception List
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Netsh Allow Group Policy on Microsoft Defender Firewall
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application