Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Impair Defenses: Disable or Modify System Firewall (T1562.004) |
Severity |
Medium |
Description
The Windows Firewall has been disabled using PowerShell. Malware may turn it off to exfiltrate data and communicate with C2 servers.
Attacker's Goals
An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
Investigative actions
- Check Windows event logs to see the PowerShell command or script that was executed.
- Check whether the PowerShell command is benign or normal for the host and/or user performing it.
- Investigate the endpoint to determine if it's a legitimate process that disabled the firewall.