title: Firewall Disabled via Netsh description: Detects netsh commands that turns off the Windows firewall references: - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ date: 2019/11/01 status: experimental author: Fatih Sirin tags: - attack.defense_evasion logsource: category: process_creation product: windows detection: selection: CommandLine: - netsh firewall set opmode mode=disable - netsh advfirewall set * state off condition: selection falsepositives: - Legitimate administration level: medium