Detectionlowtest
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Sat Feb 19Updated Fri Apr 2100bb5bd5-1379-4fcf-a965-a5b6f7478064windows
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID:
- 2002 # A Windows Defender Firewall setting has changed.
- 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- 2003 # A Windows Firewall setting in the profile has changed
- 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selectionReferences
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
00bb5bd5-1379-4fcf-a965-a5b6f7478064
Status
test
Level
low
Type
Detection
Created
Sat Feb 19
Modified
Fri Apr 21
Path
rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
Raw Tags
attack.defense-evasionattack.t1562.004