Windows Firewall Settings Have Been Changed

Severity: low
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects activity when the settings of the Windows firewall have been changed

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.004` Impair Defenses: Disable or Modify System Firewall

Event coverage

Provider	Event ID	Title
Windows-Firewall-With-Advanced-Security	2002
Windows-Firewall-With-Advanced-Security	2003
Windows-Firewall-With-Advanced-Security	2008
Windows-Firewall-With-Advanced-Security	2082
Windows-Firewall-With-Advanced-Security	2083

Stages and Predicates

Stage 1: `selection`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

USB Device Plugged [sigma]