Query Details

Defender for Endpoint - Windows Firewall configuration

MDE Firewall Configuration

Query

let fwoffregex = '.*advfirewall.*state off.*';
DeviceProcessEvents
| where FileName == 'netsh.exe'
| where tolower(ProcessCommandLine) matches regex fwoffregex
| project TimeGenerated, DeviceName,ProcessCommandLine

About this query

Explanation

This KQL query is designed to detect activities related to disabling or modifying the Windows Defender Firewall, which is a security concern as it can impair system defenses. The query focuses on identifying specific actions that might indicate such activities, using two main methods:

  1. Using netsh.exe:

    • The query looks for instances where the netsh.exe command-line tool is used with parameters that suggest the firewall is being turned off. It specifically searches for command lines that match a pattern indicating the firewall state is being set to "off."
  2. Using PowerShell:

    • It also checks for PowerShell commands that are used to configure the Windows Firewall, particularly those that disable firewall profiles using the Set-NetFirewallProfile command.

Additionally, the query includes a simulation section that provides examples of how these actions might be executed using command-line tools or registry modifications. This helps in understanding how such activities could be simulated or detected in a real-world scenario.

Overall, the query is part of a security monitoring strategy to detect potential attempts to disable or modify the system firewall, which aligns with the MITRE ATT&CK technique T1562.004.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

DeviceProcessEventsDeviceEvents

Keywords

DeviceProcessEventsFirewallWindowsDefenderPowerShellCommand

Operators

letmatches regex|where==tolowerproject

MITRE Techniques

Actions

GitHub