https://detection.fyi/tags/attack.t1686.003/ Recent content in attack.t1686.003 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_delete_rule/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_delete_rule/ Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_delete_all_rules/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_delete_all_rules/ Detects when a all the rules have been deleted from the Windows Defender Firewall configuration https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_defender_firewall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_defender_firewall/ Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_windows_firewall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_windows_firewall/ Detect set EnableFirewall to 0 to disable the Windows firewall https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_disable/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_disable/ Detects netsh commands that turns off the Windows firewall https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_delete_rule/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_delete_rule/ Detects the removal of a port or application rule in the Windows Firewall configuration using netsh https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule/ Adversaries may modify system firewalls in order to bypass controls limiting network usage https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder/ Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse/ Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule". https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_add_rule/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_add_rule/ Detects the addition of a new rule to the Windows firewall via netsh https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp/ Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location/ Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo/ Detects activity when The Windows Defender Firewall service failed to load Group Policy https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_add_rule/ Detects when a rule has been added to the Windows Firewall exception list https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_reset_config/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_reset_config/ Detects activity when Windows Defender Firewall has been reset to its default configuration https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled/ Detects when a user disables the Windows Firewall via a Profile to help evade defense. https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_setting_change/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/firewall_as/win_firewall_as_setting_change/ Detects activity when the settings of the Windows firewall have been changed