Detection rules › Sigma
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Impairment | T1686.003 Disable or Modify System Firewall: Windows Host Firewall |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Windows-Firewall-With-Advanced-Security | Event ID 2032 | Event ID 2032 |
| Windows-Firewall-With-Advanced-Security | Event ID 2060 | Event ID 2060 |
Rule body yaml
title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
condition: selection
level: low
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)