detection.wiki

Detection rules › Sigma

Windows Defender Firewall Has Been Reset To Its Default Configuration

Severity
low
Author
frack113
Source
upstream

Detects activity when Windows Defender Firewall has been reset to its default configuration

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.004 Impair Defenses: Disable or Modify System Firewall

Event coverage

ProviderEvent IDTitle
Windows-Firewall-With-Advanced-Security2032
Windows-Firewall-With-Advanced-Security2060

Stages and Predicates

Stage 1: selection