MDE Firewall Configuration

# Defender for Endpoint - Windows Firewall configuration ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1562.004 | Impair Defenses: Disable or Modify System Firewall | https://attack.mitre.org/techniques/T1562/004/ | ### Description Use the below queries to identify disabling or modifying Windows Defender Firewall events #### References - [Impair Defenses: Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004/) - [Atomic Red Team - Impair Defenses: Disable or Modify System Firewall](https://atomicredteam.io/defense-evasion/T1562.004/) ### Microsoft 365 Defender Use of netsh to disable firewall profiles ```kql let fwoffregex = '.*advfirewall.*state off.*'; DeviceProcessEvents | where FileName == 'netsh.exe' | where tolower(ProcessCommandLine) matches regex fwoffregex | project TimeGenerated, DeviceName,ProcessCommandLine ``` Use of PowerShell to configure Windows Firewall Set-NetFirewallProfile -Profile Domain -Enabled False ```kql DeviceEvents | where ActionType == "PowerShellCommand" | where AdditionalFields.Command == "Set-NetFirewallProfile" ``` use of netsh to configure firewall rules ```kql let fwoffregex = '.*advfirewall.*rule.*'; DeviceProcessEvents | where FileName == 'netsh.exe' | where tolower(ProcessCommandLine) matches regex fwoffregex | project TimeGenerated, DeviceName,ProcessCommandLine ```

Explanation

The query is used to identify events related to disabling or modifying the Windows Defender Firewall. It looks for instances where the netsh.exe process is used to disable firewall profiles or configure firewall rules, as well as PowerShell commands to configure the Windows Firewall. The purpose of this query is to detect any attempts to impair the defenses provided by the Windows Firewall. The query is based on the MITRE ATT&CK technique T1562.004.

KQL Search

MDE Firewall Configuration

Query

Explanation

Details

Actions