Windows firewall disabled

windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when the Windows firewall is disabled.

Strategy

Monitor the Windows event logs where @evt.id is 4950 and the @Event.EventData.Data.SettingValue:No.

Triage and response

Verify if {{@Event.System.Computer}} has a legitimate reason for having the Windows firewall disabled.