Windows Firewall Disabled via PowerShell
Detects attempts to disable the Windows Firewall using PowerShell
Sigma rule (View on GitHub)
1title: Windows Firewall Disabled via PowerShell
2id: 12f6b752-042d-483e-bf9c-915a6d06ad75
3related:
4 - id: 488b44e7-3781-4a71-888d-c95abfacf44d
5 type: similar
6status: test
7description: Detects attempts to disable the Windows Firewall using PowerShell
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022/09/14
12modified: 2023/02/13
13tags:
14 - attack.defense_evasion
15 - attack.t1562
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_name:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - '\powershell_ise.exe'
25 - OriginalFileName:
26 - 'PowerShell.EXE'
27 - 'pwsh.dll'
28 selection_args:
29 CommandLine|contains|all:
30 - 'Set-NetFirewallProfile '
31 - ' -Enabled '
32 - ' False'
33 selection_opt:
34 CommandLine|contains:
35 - ' -All '
36 - 'Public'
37 - 'Domain'
38 - 'Private'
39 condition: all of selection_*
40falsepositives:
41 - Unknown
42level: medium
References
Related rules
- Sysmon Application Crashed
- Windows Defender Exclusions Added - PowerShell
- Write Protect For Storage Disabled
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
- HackTool - EDRSilencer Execution