Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Impair Defenses: Disable or Modify System Firewall (T1562.004) |
Severity |
Medium |
Description
The Windows Firewall has been disabled. Malware may turn it off to exfiltrate data and communicate with C2 servers.
Attacker's Goals
An attacker may turn the firewall off to exfiltrate data and communicate with C2 servers.
Investigative actions
- Check whether the command line executed is benign or normal for the host and/or user performing it.
- Investigate the endpoint to determine if the process is legitimately disabling the firewall.