title: Firewall Disabled via Netsh
author: Fatih Sirin
date: 2019/11/01
description: Detects netsh commands that turns off the Windows firewall
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        CommandLine: netsh firewall set opmode mode=disable
    SELECTION_3:
        CommandLine: netsh advfirewall set * state off
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Legitimate administration
id: 57c4bf16-227f-4394-8ec7-1b745ee061c3
level: medium
logsource:
    category: process_creation
    product: windows
modified: 2020/08/30
references:
- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/
- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.004
- attack.s0108
yml_filename: win_susp_firewall_disable.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation