Query Details

MDE - Netsh commands

MDE Parse Netsh

Query

let fwoffregex = '.*advfirewall.*rule.*';
DeviceProcessEvents
| where FileName == 'netsh.exe'
| extend ProcessCommandLine = tolower(ProcessCommandLine)
| where ProcessCommandLine matches regex fwoffregex
| parse ProcessCommandLine with action "advfirewall firewall" actionname:string  " " *
| parse-kv ProcessCommandLine as (name:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (program:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (protocol:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (action:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (dir:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (action:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (localport:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (enable:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (['rule name']:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (['allow program']:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (profile:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (remoteip:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| parse-kv ProcessCommandLine as (group:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"') 
| project  TimeGenerated, DeviceName, AccountName, AccountDomain, InitiatingProcessCommandLine,InitiatingProcessFileName, InitiatingProcessSignatureStatus,InitiatingProcessParentFileName,InitiatingProcessIntegrityLevel,
actionname, name, program, protocol, dir, action, localport, enable, ProcessCommandLine, ['rule name'],profile, ['allow program'], remoteip, group
| extend app = parse_path(program)

About this query

MDE - Netsh commands

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1562.004Impair Defenses: Disable or Modify System Firewallhttps://attack.mitre.org/techniques/T1562/004/

Description

Use the below query to parse netsh advanced firewall commands.

References

Microsoft Defender XDR

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

Explanation

This KQL query is designed to detect and analyze the use of netsh commands related to the Windows Firewall, specifically focusing on commands that might disable or modify firewall rules. Here's a simple breakdown of what the query does:

  1. Targeted Process: The query looks for events where the netsh.exe process is executed. netsh is a command-line utility used to configure network settings, including the firewall.

  2. Command Filtering: It filters the commands to those that include advfirewall and rule, indicating advanced firewall rule modifications.

  3. Command Parsing: The query parses the command line of the netsh process to extract specific parameters such as action name, program, protocol, direction, local port, and other firewall rule attributes.

  4. Data Projection: It projects (selects) relevant fields such as the time of the event, device name, account details, and various parsed command attributes for further analysis.

  5. Purpose: The main goal is to identify and analyze attempts to impair system defenses by disabling or modifying the system firewall, which is a known technique (T1562.004) in the MITRE ATT&CK framework.

  6. Example Commands: The query is designed to detect commands like netsh firewall set opmode disable and netsh advfirewall set allprofiles state off, which are used to disable the firewall.

Overall, this query helps security analysts monitor and investigate potential security incidents involving unauthorized changes to firewall settings.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsNameAccountDomainCommandLineFileSignatureStatusParentIntegrityLevelRuleAllowProgramRemoteIPGroupProfileProtocolActionLocalPortEnable

Operators

letDeviceProcessEventswhereextendtolowermatchesregexparseparse-kvaswithprojectTimeGeneratedDeviceNameAccountNameAccountDomainInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessSignatureStatusInitiatingProcessParentFileNameInitiatingProcessIntegrityLevelparse_path

MITRE Techniques

Actions

GitHub