Sigma detection rules

Home/Sigma rules

Sigma

17 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

17 shown of 17

high

All Rules Have Been Deleted From The Windows Firewall Configuration

Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 79609c82-a488-426e-abcf-9f341a39365d

view Sigma YAML

title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
    filter_main_svchost:
        ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
    filter_optional_msmpeng:
        ModifyingApplication|contains|all:
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high

high

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

status test author frack113 id 9e2575e7-2cb9-4da1-adc8-ed94221dca5e

view Sigma YAML

title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
    - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
      type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
    - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
        ApplicationPath|contains:
            - ':\PerfLogs\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\Public\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
    filter_main_block:
        Action: 2 # Block
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

high

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

status test author Sander Wiebing id 01aeb693-138d-49d2-9403-c4f52d7d3d62

view Sigma YAML

title: RDP Connection Allowed Via Netsh.EXE
id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
status: test
description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
references:
    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
author: Sander Wiebing
date: 2020-05-23
modified: 2023-12-11
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        # Example:
        #   Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
        #   New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
        CommandLine|contains|all:
            - 'firewall '
            - 'add '
            - 'tcp '
            - '3389'
        CommandLine|contains:
            - 'portopening'
            - 'allow'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: high

high

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

status test author Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community id a35f5a72-f347-4e36-8895-9869b0d5fc6d

view Sigma YAML

title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
id: a35f5a72-f347-4e36-8895-9869b0d5fc6d
status: test
description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
references:
    - https://www.virusradar.com/en/Win32_Kasidet.AD/description
    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2020-05-25
modified: 2023-12-11
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        - CommandLine|contains|all:
              - 'firewall'
              - 'add'
              - 'allowedprogram'
        - CommandLine|contains|all:
              - 'advfirewall'
              - 'firewall'
              - 'add'
              - 'rule'
              - 'action=allow'
              - 'program='
    selection_paths:
        CommandLine|contains:
            - ':\$Recycle.bin\'
            - ':\RECYCLER.BIN\'
            - ':\RECYCLERS.BIN\'
            - ':\SystemVolumeInformation\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Desktop\'
            - ':\Users\Public\'
            - ':\Windows\addins\'
            - ':\Windows\cursors\'
            - ':\Windows\debug\'
            - ':\Windows\drivers\'
            - ':\Windows\fonts\'
            - ':\Windows\help\'
            - ':\Windows\system32\tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\Downloads\'
            - '\Local Settings\Temporary Internet Files\'
            - '\Temporary Internet Files\Content.Outlook\'
            - '%Public%\'
            - '%TEMP%'
            - '%TMP%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

medium

A Rule Has Been Deleted From The Windows Firewall Exception List

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

status test author frack113 id c187c075-bb3e-4c62-b4fa-beae0ffc211f

view Sigma YAML

title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: test
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-08-29
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2006 # A rule has been deleted in the Windows Defender Firewall exception list
            - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
    filter_main_generic:
        ModifyingApplication|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\WinSxS\'
    filter_main_svchost:
        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
    filter_optional_msmpeng:
        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ModifyingApplication|endswith: '\MsMpEng.exe'
    filter_main_null:
        ModifyingApplication: null
    filter_main_empty:
        ModifyingApplication: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium

medium

Disable Microsoft Defender Firewall via Registry

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

status test author frack113 id 974515da-6cc5-4c95-ae65-f97f9150ec7f

view Sigma YAML

title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
        TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
        TargetObject|endswith: '\EnableFirewall'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Microsoft Defender Firewall via Registry
      technique: T1562.004
      atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612

medium

Disable Windows Firewall by Registry

Detect set EnableFirewall to 0 to disable the Windows firewall

status test author frack113 id e78c408a-e2ea-43cd-b5ea-51975cf358c0

view Sigma YAML

title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

status test author Fatih Sirin id 57c4bf16-227f-4394-8ec7-1b745ee061c3

view Sigma YAML

title: Firewall Disabled via Netsh.EXE
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
status: test
description: Detects netsh commands that turns off the Windows firewall
references:
    - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
    - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
author: Fatih Sirin
date: 2019-11-01
modified: 2023-02-13
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - attack.s0108
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli_1:
        # Example: netsh firewall set opmode disable
        CommandLine|contains|all:
            - 'firewall'
            - 'set'
            - 'opmode'
            - 'disable'
    selection_cli_2:
        # Example: netsh advfirewall set currentprofile state off
        CommandLine|contains|all:
            - 'advfirewall'
            - 'set'
            - 'state'
            - 'off'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Legitimate administration activity
level: medium

medium

Firewall Rule Deleted Via Netsh.EXE

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

status test author frack113 id 1a5fefe6-734f-452e-a07d-fc1c35bce4b2

view Sigma YAML

title: Firewall Rule Deleted Via Netsh.EXE
id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
status: test
description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
references:
    - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
author: frack113
date: 2022-08-14
modified: 2025-10-07
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'firewall'
            - 'delete '
    filter_optional_dropbox:
        ParentImage|endswith: '\Dropbox.exe'
        CommandLine|contains: 'name=Dropbox'
    filter_optional_avast:
        ParentImage|endswith: '\instup.exe'
        CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activity
    - Software installations and removal
level: medium

medium

Netsh Allow Group Policy on Microsoft Defender Firewall

Adversaries may modify system firewalls in order to bypass controls limiting network usage

status test author frack113 id 347906f3-e207-4d18-ae5b-a9403d6bcdef

view Sigma YAML

title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'advfirewall'
            - 'firewall'
            - 'set'
            - 'rule'
            - 'group='
            - 'new'
            - 'enable=Yes'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: medium

medium

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id eca81e8d-09e1-4d04-8614-c91f44fd0519

view Sigma YAML

title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
id: eca81e8d-09e1-4d04-8614-c91f44fd0519
status: test
description: |
    Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
    This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
        Action: 3 # Allow
        ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
    condition: selection
falsepositives:
    - Administrator scripts or activity.
level: medium

medium

New Firewall Rule Added Via Netsh.EXE

Detects the addition of a new rule to the Windows firewall via netsh

status test author Markus Neis, Sander Wiebing id cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c

view Sigma YAML

title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
    - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - attack.s0246
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' firewall '
            - ' add '
    filter_optional_dropbox:
        CommandLine|contains:
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activity
    - Software installations
level: medium

medium

Uncommon New Firewall Rule Added In Windows Firewall Exception List

Detects when a rule has been added to the Windows Firewall exception list

status test author frack113 id cde0a575-7d3d-4a49-9817-b8004a7bf105

view Sigma YAML

title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
id: cde0a575-7d3d-4a49-9817-b8004a7bf105
status: test
description: Detects when a rule has been added to the Windows Firewall exception list
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2025-10-08
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
    filter_main_block:
        Action: 2 # Block
    filter_main_generic:
        ApplicationPath|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_main_covered_paths:
        # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
        ApplicationPath|contains:
            - 'C:\PerfLogs\'
            - 'C:\Temp\'
            - 'C:\Tmp\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Tasks\'
            - 'C:\Windows\Temp\'
            - '\AppData\Local\Temp\'
    filter_main_system_dllhost:
        ApplicationPath: 'System'
        ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
    filter_main_tiworker:
        ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
        ModifyingApplication|endswith: '\TiWorker.exe'
    filter_main_null:
        ApplicationPath: null
    filter_optional_no_path:
        # This filter filters a lot of FPs related to Windows Services
        ModifyingApplication:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\dllhost.exe'
        ApplicationPath: ''
    filter_optional_msmpeng:
        - ModifyingApplication|startswith:
              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
              - 'C:\Program Files\Windows Defender\'
          ModifyingApplication|endswith: '\MsMpEng.exe'
        - ApplicationPath|startswith:
              - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
              - 'C:\Program Files\Windows Defender\'
          ApplicationPath|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium

medium

Windows Firewall Profile Disabled

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

status test author Austin Songer @austinsonger id 488b44e7-3781-4a71-888d-c95abfacf44d

view Sigma YAML

title: Windows Firewall Profile Disabled
id: 488b44e7-3781-4a71-888d-c95abfacf44d
related:
    - id: 12f6b752-042d-483e-bf9c-915a6d06ad75
      type: similar
status: test
description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
references:
    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps
    - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
    - https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
    - http://woshub.com/manage-windows-firewall-powershell/
    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-30
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_args:
        ScriptBlockText|contains|all:
            - 'Set-NetFirewallProfile '
            - ' -Enabled '
            - ' False'
    selection_opt:
        ScriptBlockText|contains:
            - ' -All '
            - 'Public'
            - 'Domain'
            - 'Private'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

low

The Windows Defender Firewall Service Failed To Load Group Policy

Detects activity when The Windows Defender Firewall service failed to load Group Policy

status test author frack113 id 7ec15688-fd24-4177-ba43-1a950537ee39

view Sigma YAML

title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: test
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-01-17
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
    condition: selection
level: low

low

Windows Defender Firewall Has Been Reset To Its Default Configuration

Detects activity when Windows Defender Firewall has been reset to its default configuration

status test author frack113 id 04b60639-39c0-412a-9fbe-e82499c881a3

view Sigma YAML

title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2032 # Windows Defender Firewall has been reset to its default configuration
            - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
    condition: selection
level: low

low

Windows Firewall Settings Have Been Changed

Detects activity when the settings of the Windows firewall have been changed

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 00bb5bd5-1379-4fcf-a965-a5b6f7478064

view Sigma YAML

title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2002 # A Windows Defender Firewall setting has changed.
            - 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
            - 2003 # A Windows Firewall setting in the profile has changed
            - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
            - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied
            # - 2010  # Network profile changed on an interface.
    condition: selection
level: low

Showing 1-17 of 17

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin