detection.wiki

Detection rules › Sigma

A Rule Has Been Deleted From The Windows Firewall Exception List

Status
test
Severity
medium
Log source
product windows, service firewall-as
Author
frack113
Source
github.com/SigmaHQ/sigma

Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1686.003 Disable or Modify System Firewall: Windows Host Firewall

Event coverage

ProviderEvent
Windows-Firewall-With-Advanced-SecurityEvent ID 2006
Windows-Firewall-With-Advanced-SecurityEvent ID 2052

Rule body yaml

title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: test
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-08-29
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2006 # A rule has been deleted in the Windows Defender Firewall exception list
            - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
    filter_main_generic:
        ModifyingApplication|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\WinSxS\'
    filter_main_svchost:
        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
    filter_optional_msmpeng:
        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ModifyingApplication|endswith: '\MsMpEng.exe'
    filter_main_null:
        ModifyingApplication: null
    filter_main_empty:
        ModifyingApplication: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: selection

selection:
    EventID:
        - 2006
        - 2052

Stage 2: not filter_main_*

filter_main_generic:
    ModifyingApplication|startswith:
        - 'C:\Program Files (x86)\'
        - 'C:\Program Files\'
        - 'C:\Windows\WinSxS\'
filter_main_svchost:
    ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_main_null:
    ModifyingApplication: null
filter_main_empty:
    ModifyingApplication: ''

Stage 3: not filter_optional_msmpeng

filter_optional_msmpeng:
    ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
    ModifyingApplication|endswith: '\MsMpEng.exe'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
ModifyingApplicationeqC:\Windows\System32\svchost.exe
ModifyingApplicationis_null(no value, null check)
ModifyingApplicationstarts_withC:\Program Files (x86)\
ModifyingApplicationstarts_withC:\Program Files\
ModifyingApplicationstarts_withC:\Windows\WinSxS\
ModifyingApplicationends_with\MsMpEng.exe
ModifyingApplicationstarts_withC:\ProgramData\Microsoft\Windows Defender\Platform\