Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Impair Defenses: Disable or Modify System Firewall (T1562.004) |
Severity |
Informational |
Description
A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.
Attacker's Goals
Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.
Investigative actions
- Check for any other suspicious activity related to the host and the user involved in the alert.
- Check Windows Defender Firewall with Advanced Security for a new rule that was added.
- Check if the new rule was added to different machines as well.