Detectionmediumtest
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowsfirewall-as
ProductWindows← raw: windows
Servicefirewall-as← raw: firewall-as
Detection Logic
Detection Logic6 selectors
detection:
selection:
EventID:
- 2006 # A rule has been deleted in the Windows Defender Firewall exception list
- 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
filter_main_generic:
ModifyingApplication|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\WinSxS\'
filter_main_svchost:
ModifyingApplication: 'C:\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ModifyingApplication|endswith: '\MsMpEng.exe'
filter_main_null:
ModifyingApplication: null
filter_main_empty:
ModifyingApplication: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
c187c075-bb3e-4c62-b4fa-beae0ffc211f
Status
test
Level
medium
Type
Detection
Created
Sat Feb 19
Modified
Thu Aug 29
Author
Path
rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml
Raw Tags
attack.defense-evasionattack.t1562.004