
Summary
This detection rule monitors for instances when a user disables the Windows Firewall through PowerShell commands, specifically the `Set-NetFirewallProfile` command. Disabling the firewall is considered a potential defense evasion tactic employed by attackers to make systems more vulnerable to exploits and unauthorized access. The rule looks for PowerShell script block logs containing specific command patterns that indicate the firewall is being set to disabled (enabled = false) across various firewall profiles (Public, Private, Domain). For effective detection, it requires that Script Block Logging is enabled on the Windows host. This rule can help security operations teams quickly identify and respond to unauthorized changes to firewall settings in real time, thereby improving the overall security posture against potential attacks.
Categories
- Endpoint
- Windows
Data Sources
- Script
- Firewall
Created: 2021-10-12