All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Sigma rule (View on GitHub)
1title: All Rules Have Been Deleted From The Windows Firewall Configuration
2id: 79609c82-a488-426e-abcf-9f341a39365d
3status: experimental
4description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
5references:
6 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
7author: frack113, Nasreddine Bencherchali (Nextron Systems)
8date: 2023/01/17
9modified: 2023/04/21
10logsource:
11 product: windows
12 service: firewall-as
13detection:
14 selection:
15 EventID:
16 - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
17 - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
18 filter_main_generic:
19 ModifyingApplication|startswith:
20 - 'C:\Program Files\'
21 - 'C:\Program Files (x86)\'
22 filter_main_svchost:
23 ModifyingApplication: 'C:\Windows\System32\svchost.exe'
24 filter_optional_msmpeng:
25 ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
26 ModifyingApplication|endswith: '\MsMpEng.exe'
27 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28level: high