Detectionlowtest
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
condition: selectionReferences
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
04b60639-39c0-412a-9fbe-e82499c881a3
Status
test
Level
low
Type
Detection
Created
Sat Feb 19
Modified
Fri Apr 21
Author
Path
rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml
Raw Tags
attack.defense-evasionattack.t1562.004