Windows Firewall Disabled via PowerShell
Detects attempts to disable the Windows Firewall using PowerShell
Sigma rule (View on GitHub)
1title: Windows Firewall Disabled via PowerShell
2id: 12f6b752-042d-483e-bf9c-915a6d06ad75
3related:
4 - id: 488b44e7-3781-4a71-888d-c95abfacf44d
5 type: similar
6status: test
7description: Detects attempts to disable the Windows Firewall using PowerShell
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022-09-14
12modified: 2023-02-13
13tags:
14 - attack.defense-evasion
15 - attack.t1562
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_name:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - '\powershell_ise.exe'
25 - OriginalFileName:
26 - 'PowerShell.EXE'
27 - 'pwsh.dll'
28 selection_args:
29 CommandLine|contains|all:
30 - 'Set-NetFirewallProfile '
31 - ' -Enabled '
32 - ' False'
33 selection_opt:
34 CommandLine|contains:
35 - ' -All '
36 - 'Public'
37 - 'Domain'
38 - 'Private'
39 condition: all of selection_*
40falsepositives:
41 - Unknown
42level: medium
References
-
Windows Firewall Disabled via PowerShell edit Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and networ...
Read More
Related rules
- AWS SecurityHub Findings Evasion
- Azure Kubernetes Events Deleted
- ETW Logging Disabled For SCM
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry