Windows Modify Registry Delete Firewall Rules

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall firewall delete rule, which can expose the network to external threats by disabling critical security measures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry

Event coverage

Provider	Event ID	Title
Sysmon	12	RegistryEvent (Object create and delete)

Stages and Predicates

Stage 1: `search`

search EventCode=12 EventType="DeleteValue" TargetObject="*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*"

Stage 2: `stats`

stats BY action, dest, process_guid, process_id, registry_hive, registry_path, registry_key_name, status, user, vendor_product

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`12`
`EventType`	eq	`DeleteValue` corpus 5 (sigma 4, splunk 1)
`TargetObject`	eq	`"\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\"`

Windows Modify Registry Delete Firewall Rules

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search