Defender for Endpoint - Windows Firewall configuration
MDE Firewall Configuration
Query
let fwoffregex = '.*advfirewall.*state off.*';
DeviceProcessEvents
| where FileName == 'netsh.exe'
| where tolower(ProcessCommandLine) matches regex fwoffregex
| project TimeGenerated, DeviceName,ProcessCommandLineAbout this query
Explanation
This KQL query is designed to detect activities related to disabling or modifying the Windows Defender Firewall, which is a security concern as it can impair system defenses. The query focuses on identifying specific actions that might indicate such activities, using two main methods:
-
Using
netsh.exe:- The query looks for instances where the
netsh.execommand-line tool is used with parameters that suggest the firewall is being turned off. It specifically searches for command lines that match a pattern indicating the firewall state is being set to "off."
- The query looks for instances where the
-
Using PowerShell:
- It also checks for PowerShell commands that are used to configure the Windows Firewall, particularly those that disable firewall profiles using the
Set-NetFirewallProfilecommand.
- It also checks for PowerShell commands that are used to configure the Windows Firewall, particularly those that disable firewall profiles using the
Additionally, the query includes a simulation section that provides examples of how these actions might be executed using command-line tools or registry modifications. This helps in understanding how such activities could be simulated or detected in a real-world scenario.
Overall, the query is part of a security monitoring strategy to detect potential attempts to disable or modify the system firewall, which aligns with the MITRE ATT&CK technique T1562.004.
