detection.wiki

ATT&CK coverage › Technique

Impair Defenses: Disable or Modify System Firewall T1562.004

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Events covered

23 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon13RegistryEvent (Value Set)
Security-Auditing4946A change has been made to Windows Firewall exception list. A rule was added.
Security-Auditing4947A change has been made to Windows Firewall exception list. A rule was modified.
Security-Auditing4948A change has been made to Windows Firewall exception list. A rule was deleted.
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Firewall-With-Advanced-Security2002A Windows Defender Firewall setting has changed.
Windows-Firewall-With-Advanced-Security2003A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-Security2004A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-Security2006A rule has been deleted in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-Security2008Windows Defender Firewall Group Policy settings have changed.
Windows-Firewall-With-Advanced-Security2009The Windows Defender Firewall service failed to load Group Policy.
Windows-Firewall-With-Advanced-Security2032Windows Defender Firewall has been reset to its default configuration.
Windows-Firewall-With-Advanced-Security2033All rules have been deleted from the Windows Defender Firewall configuration on this computer.
Windows-Firewall-With-Advanced-Security2052A rule has been deleted in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-Security2059All rules have been deleted from the Windows Defender Firewall configuration on this computer.
Windows-Firewall-With-Advanced-Security2060Windows Defender Firewall has been reset to its default configuration.
Windows-Firewall-With-Advanced-Security2071A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-Security2082A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-Security2083A Windows Defender Firewall setting has changed.
Windows-Firewall-With-Advanced-Security2097A rule has been added to the Windows Defender Firewall exception list.

Authoring guide

Patterns shared across the 21 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (13 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image6ends_with 6\netsh.exe
OriginalFileName6eq 6netsh.exe
CommandLine6match 6firewall, set, state, advfirewall firewall delete rule name="Avast Antivirus..., delete
ModifyingApplication4ends_with 4, starts_with 2, eq 2, is_null 1, match 1C:\Windows\System32\svchost.exe, C:\ProgramData\Microsoft\Windows Defender\Platform\, C:\Program Files\, :\Windows\System32\svchost.exe, \MsMpEng.exe
Action3eq 32, 3
EventID3eq 34946, 4948, 4947
Details2eq 2DWORD (0x00000000)
TargetObject2ends_with 2, match 1\Services\SharedAccess\Parameters\FirewallPolicy\, \EnableFirewall, \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProf..., \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfil...
ApplicationPath2match 2, eq 1, is_null 1, ends_with 1, starts_with 1\AppData\Local\Temp\, :\Tmp\, :\Windows\Temp\, C:\Program Files\, C:\Temp\
EventType1eq 1windows-firewall-packet-drop, windows-firewall-packet-block
process_name1eq 1epefprtrainer.exe, sargui.exe, mfehidin.exe
ParentImage1ends_with 1\instup.exe, \Dropbox.exe
ScriptBlockText1match 1Public, -All , False

Top indicator values (339 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\netsh.exe616
OriginalFileNameeqnetsh.exe614
CommandLinematchfirewall44
CommandLinematchadvfirewall33
ModifyingApplicationstarts_withC:\Windows\WinSxS\22
ModifyingApplicationstarts_withC:\ProgramData\Microsoft\Windows Defender\Platform\22
ModifyingApplicationeqC:\Windows\System32\svchost.exe22
ModifyingApplicationends_with\MsMpEng.exe22
DetailseqDWORD (0x00000000)238
CommandLinematchset27
CommandLinematchrule22
ApplicationPathmatch\AppData\Local\Temp\22
Actioneq222
process_nameeqemu-gui.exe1
process_nameeqklnagent.exe1
process_nameeqsysmon.exe1
process_nameeqmacmnsvc.exe1
process_nameeqSCFManager.exe1
process_nameeqWatchDog.exe1
process_nameeqsubmitv.exe1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 17 rules

Elastic 1 rule

Splunk 3 rules