detection.wiki

Disable or Modify System Firewall: Windows Host Firewall T1686.003

Tactic: Defense Impairment

Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.

Events covered

20 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 13RegistryEvent (Value Set)
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Firewall-With-Advanced-SecurityEvent ID 2002A Windows Defender Firewall setting has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2003A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2004A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2005A rule has been modified in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2006A rule has been deleted in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2008Windows Defender Firewall Group Policy settings have changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2009The Windows Defender Firewall service failed to load Group Policy.
Windows-Firewall-With-Advanced-SecurityEvent ID 2032Windows Defender Firewall has been reset to its default configuration.
Windows-Firewall-With-Advanced-SecurityEvent ID 2033All rules have been deleted from the Windows Defender Firewall configuration on this computer.
Windows-Firewall-With-Advanced-SecurityEvent ID 2052A rule has been deleted in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2059All rules have been deleted from the Windows Defender Firewall configuration on this computer.
Windows-Firewall-With-Advanced-SecurityEvent ID 2060Windows Defender Firewall has been reset to its default configuration.
Windows-Firewall-With-Advanced-SecurityEvent ID 2071A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2073A rule has been modified in the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2082A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2083A Windows Defender Firewall setting has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2097A rule has been added to the Windows Defender Firewall exception list.

Authoring guide

Patterns shared across the 20 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine7contains 7firewall, advfirewall, allow, -action , add
Image7ends_with 7\netsh.exe, \powershell.exe, \powershell_ise.exe, \pwsh.exe
OriginalFileName7eq 7netsh.exe, powershell.exe, pwsh.dll
ModifyingApplication4ends_with 4, eq 2, starts_with 2, contains 1, is_null 1C:\ProgramData\Microsoft\Windows Defender\Platform\, :\Windows\System32\svchost.exe, :\Windows\System32\wbem\WmiPrvSE.exe, :\programdata\microsoft\windows defender\platform\, C:\Program Files (x86)\
Action3eq 32, 3
ApplicationPath3contains 3, ends_with 2, eq 1, is_null 1, starts_with 1:\perflogs\, :\temp\, :\tmp\, :\users\, C:\Program Files (x86)\
Details2eq 2DWORD (0x00000000)
ScriptBlockText2contains 1, match 1 -all , -enabled , false, new-netfirewallrule*-action*allow
TargetObject2ends_with 2, contains 1\enablefirewall, \services\sharedaccess\parameters\firewallpolicy\, \software\policies\microsoft\windowsfirewall\domainprofil..., \software\policies\microsoft\windowsfirewall\standardprof...
ParentImage1ends_with 1\dropbox.exe, \instup.exe

Top indicator values (119 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\netsh.exe
628
OriginalFileNameeq
netsh.exe
623
CommandLinecontains
firewall
413
CommandLinecontains
advfirewall
37
CommandLinecontains
allow
26
CommandLinecontains
rule
22
CommandLinecontains
set
211
Actioneq
2
2
Actioneq
3
12
ApplicationPathcontains
\appdata\local\temp\
2
ApplicationPathcontains
:\perflogs\
1
ApplicationPathcontains
:\temp\
1
ApplicationPathcontains
:\tmp\
1
ApplicationPathcontains
:\users\
1
ApplicationPathcontains
:\users\public\
1
ApplicationPathcontains
:\windows\tasks\
1
ApplicationPathcontains
:\windows\temp\
1
ApplicationPathcontains
\appdata\local\bravesoftware\brave-browser\application\brave.exe
1
ApplicationPathcontains
\appdata\local\programs\opera\
1
ApplicationPathcontains
\opera.exe
1
ApplicationPathcontains
c:\perflogs\
1
ApplicationPathcontains
c:\temp\
1
ApplicationPathcontains
c:\tmp\
1
ApplicationPathcontains
c:\users\public\
1
ApplicationPathcontains
c:\windows\tasks\
1
Detailseq
DWORD (0x00000000)
238
ModifyingApplicationends_with
\MsMpEng.exe
2
ModifyingApplicationeq
C:\Windows\System32\svchost.exe
2
ModifyingApplicationstarts_with
C:\ProgramData\Microsoft\Windows Defender\Platform\
2
ModifyingApplicationstarts_with
C:\Windows\WinSxS\
2

Exclusions (42 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Actioneq
2
2
ModifyingApplicationends_with
\MsMpEng.exe
2
ModifyingApplicationeq
C:\Windows\System32\svchost.exe
2
ModifyingApplicationstarts_with
C:\ProgramData\Microsoft\Windows Defender\Platform\
2
ModifyingApplicationstarts_with
C:\Windows\WinSxS\
2
ApplicationPathcontains
:\users\
1
ApplicationPathcontains
\appdata\local\bravesoftware\brave-browser\application\brave.exe
1
ApplicationPathcontains
\appdata\local\programs\opera\
1
ApplicationPathcontains
\appdata\local\temp\
1
ApplicationPathcontains
\opera.exe
1
ApplicationPathcontains
c:\perflogs\
1
ApplicationPathcontains
c:\temp\
1
ApplicationPathcontains
c:\tmp\
1
ApplicationPathcontains
c:\users\public\
1
ApplicationPathcontains
c:\windows\tasks\
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 20 rules