title: Disable Defender Firewall
description: Detect disabling Microsoft Defender Firewall.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 004
operating_system: windows
query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
false_positives: 
tags: