EXPLORE
Sign In
← Back to Explore
T1686.003

Windows Host Firewall

Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity) Adversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries ma...

Windows
20
Detections
1
Sources
6
Threat Actors

BY SOURCE

20sigma

PROCEDURES (11)

General Monitoring7 detections

Auto-extracted: 7 detections for general monitoring

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (6)

Lazarus GroupMagic HoundMirrorFaceMoses StaffOilRigVOID MANTICORE

DETECTIONS (20)

A Rule Has Been Deleted From The Windows Firewall Exception List
sigmamedium
All Rules Have Been Deleted From The Windows Firewall Configuration
sigmahigh
Disable Microsoft Defender Firewall via Registry
sigmamedium
Disable Windows Firewall by Registry
sigmamedium
Firewall Disabled via Netsh.EXE
sigmamedium
Firewall Rule Deleted Via Netsh.EXE
sigmamedium
Firewall Rule Modified In The Windows Firewall Exception List
sigmalow
Netsh Allow Group Policy on Microsoft Defender Firewall
sigmamedium
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
sigmahigh
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
sigmamedium
New Firewall Rule Added Via Netsh.EXE
sigmamedium
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
sigmalow
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
sigmalow
RDP Connection Allowed Via Netsh.EXE
sigmahigh
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
sigmahigh
The Windows Defender Firewall Service Failed To Load Group Policy
sigmalow
Uncommon New Firewall Rule Added In Windows Firewall Exception List
sigmamedium
Windows Defender Firewall Has Been Reset To Its Default Configuration
sigmalow
Windows Firewall Profile Disabled
sigmamedium
Windows Firewall Settings Have Been Changed
sigmalow