
Summary
This detection rule identifies attempts to disable the Windows Firewall through PowerShell commands. The primary method of detection involves monitoring the creation of processes associated with PowerShell (including 'powershell.exe', 'pwsh.exe', and 'powershell_ise.exe') and analyzing their command-line arguments. The rule specifically looks for commands that include 'Set-NetFirewallProfile', coupled with the parameter '-Enabled False', which indicates the Firewall's deactivation. Additional parameters that may be involved include '-All', 'Public', 'Domain', and 'Private', encompassing all firewall profiles. A match for these criteria signifies a potential threat event, revealing malicious activity or unauthorized changes to system security settings. False positives may arise from legitimate administrative actions, which necessitates careful consideration before determining a true incident. This rule is non-intrusive, designed to enhance detection capabilities without imposing significant overhead on system performance. Overall, it addresses a common evasion technique that might be employed by attackers to facilitate further malicious actions on a compromised host.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2022-09-14