rule:
meta:
name: disable firewall features via registry on Windows
namespace: impact/features
authors:
- mehunhoff@google.com
scopes:
static: function
dynamic: span of calls
att&ck:
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
mbc:
- Defense Evasion::Disable or Evade Security Tools [F0004]
features:
- and:
- match: set registry value
- or:
- and:
- or:
- string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile/i
- string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile/i
- or:
- string: /EnableFirewall/i
- string: /DisableNotifications/i
- and:
- string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile/i
- string: /DisableNotifications/i
last edited: 2025-03-24 16:38:19