Disable Firewall

Hunt Hypothesis

An adversary may disable the firewall to bypass network defenses and establish unauthorized access to the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or exfiltration attempts that could evade traditional security controls.

YARA Rule

rule disable_firewall {
    meta:
        author = "x0r"
        description = "Disable Firewall"
	version = "0.1"
    strings:
        $p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase
        $c1 = "RegSetValue"
        $r1 = "FirewallPolicy"
        $r2 = "EnableFirewall"
        $r3 = "FirewallDisableNotify"
        $s1 = "netsh firewall add allowedprogram"
    condition:
        (1 of ($p*) and $c1 and 1 of ($r*)) or $s1
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Firewall Maintenance Task
  Description: A system administrator schedules a maintenance task using Task Scheduler to temporarily disable the firewall for system updates.
  Filter/Exclusion: Check for EventID 100 (Task Scheduler event) with the task name containing “Firewall Maintenance” or “Firewall Update”.

• Scenario: Group Policy Object (GPO) Deployment
  Description: An administrator uses Group Policy Management Console (GPMC) to deploy a GPO that disables the firewall on a set of machines during a security policy change.
  Filter/Exclusion: Filter events related to GPO processing (e.g., EventID 1000 or EventID 1001) or check for EventID 411 (GPO processing started).

• Scenario: Third-Party Application Configuration
  Description: A legitimate enterprise application (e.g., Cisco ASA or Palo Alto Networks) requires the firewall to be disabled temporarily during a configuration sync or update.
  Filter/Exclusion: Check for process names or service names associated with the third-party tool (e.g., ciscoasa.exe, panos.exe) in the event or process context.

• Scenario: Security Software Compatibility Check
  Description: A security tool (e.g., Microsoft Defender or CrowdStrike Falcon) performs a compatibility check that temporarily disables the firewall.
  Filter/Exclusion: Filter events related to the specific security tool (e.g., EventID 100 with process name MsDefender.exe or falcon.exe).

• Scenario: Automated Patching Job
  Description: An automated patching job (e.g., Windows Server Update Services (WSUS) or SCCM) disables the firewall to allow network-based