title: Windows Firewall Profile Disabled
author: Austin Songer @austinsonger
date: 2021/10/12
description: Detects when a user disables the Windows Firewall via a Profile to help
    evade defense.
detection:
    SELECTION_1:
        ScriptBlockText: '*Set-NetFirewallProfile*'
    SELECTION_2:
        ScriptBlockText: '*-Profile*'
    SELECTION_3:
        ScriptBlockText: '*-Enabled*'
    SELECTION_4:
        ScriptBlockText: '*False*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 488b44e7-3781-4a71-888d-c95abfacf44d
level: high
logsource:
    category: ps_script
    product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
status: experimental
tags:
- attack.defense_evasion
yml_filename: powershell_windows_firewall_profile_disabled.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script