MDE - Netsh commands
MDE Parse Netsh
Query
let fwoffregex = '.*advfirewall.*rule.*';
DeviceProcessEvents
| where FileName == 'netsh.exe'
| extend ProcessCommandLine = tolower(ProcessCommandLine)
| where ProcessCommandLine matches regex fwoffregex
| parse ProcessCommandLine with action "advfirewall firewall" actionname:string " " *
| parse-kv ProcessCommandLine as (name:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (program:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (protocol:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (action:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (dir:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (action:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (localport:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (enable:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (['rule name']:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (['allow program']:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (profile:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (remoteip:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| parse-kv ProcessCommandLine as (group:string) with (pair_delimiter=' ', kv_delimiter='=', quote='"')
| project TimeGenerated, DeviceName, AccountName, AccountDomain, InitiatingProcessCommandLine,InitiatingProcessFileName, InitiatingProcessSignatureStatus,InitiatingProcessParentFileName,InitiatingProcessIntegrityLevel,
actionname, name, program, protocol, dir, action, localport, enable, ProcessCommandLine, ['rule name'],profile, ['allow program'], remoteip, group
| extend app = parse_path(program)About this query
MDE - Netsh commands
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | https://attack.mitre.org/techniques/T1562/004/ |
Description
Use the below query to parse netsh advanced firewall commands.
References
- Netsh
- Use netsh advfirewall firewall instead of netsh firewall to control Windows Firewall behavior
- Netsh Commands for Windows Firewall
- PHOSPHORUS Automates Initial Access Using ProxyShell
- Atomic - Impair Defenses: Disable or Modify System Firewall
Microsoft Defender XDR
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
Explanation
This KQL query is designed to detect and analyze the use of netsh commands related to the Windows Firewall, specifically focusing on commands that might disable or modify firewall rules. Here's a simple breakdown of what the query does:
-
Targeted Process: The query looks for events where the
netsh.exeprocess is executed.netshis a command-line utility used to configure network settings, including the firewall. -
Command Filtering: It filters the commands to those that include
advfirewallandrule, indicating advanced firewall rule modifications. -
Command Parsing: The query parses the command line of the
netshprocess to extract specific parameters such as action name, program, protocol, direction, local port, and other firewall rule attributes. -
Data Projection: It projects (selects) relevant fields such as the time of the event, device name, account details, and various parsed command attributes for further analysis.
-
Purpose: The main goal is to identify and analyze attempts to impair system defenses by disabling or modifying the system firewall, which is a known technique (T1562.004) in the MITRE ATT&CK framework.
-
Example Commands: The query is designed to detect commands like
netsh firewall set opmode disableandnetsh advfirewall set allprofiles state off, which are used to disable the firewall.
Overall, this query helps security analysts monitor and investigate potential security incidents involving unauthorized changes to firewall settings.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators