Skip to main content
Blog

BETA DETECTION: DEEP#DOOR | Windows Firewall Connection Logging Disabled via netsh

  • April 22, 2026
  • 0 replies
  • 7 views
Aaron Beardslee
Forum|alt.badge.img
name: Windows Firewall Connection Logging Disabled via netsh Analytic
category: "Defense Evasion"
threatname: "Impair Defenses: Disable or Modify System Firewall"
functionality: "Endpoint Management Systems"
description: |
  Detects netsh commands that disable both dropped-connection and allowed-connection
  logging across all Windows Firewall profiles. Deep#Door issues these commands
  during staging to suppress logging of its outbound bore.pub C2 tunneling traffic,
  preventing network-based detection and impeding forensic reconstruction of
  attacker communications.
reference:
labels:
  - attack.defense_evasion
  - attack.t1562.004
  - Deep#Door
logsource:
  category: process_creation
  product: windows
detection:
  selection_netsh:
    Image|endswith: '\netsh.exe'
    CommandLine|contains:
      - 'advfirewall set allprofiles logging'
  selection_logging_types:
    CommandLine|contains:
      - 'droppedconnections'
      - 'allowedconnections'
  selection_disable:
    CommandLine|contains:
      - 'disable'
  condition: selection_netsh and selection_logging_types and selection_disable
criticality: High
saveasthreat: false

violation_summary:
  grouping_attribute: "accountname"
  level2_attribute:
  level2_metadata_attributes:


 


TECHNICAL DETAILS


    Deep#Door has been observed issuing netsh commands to disable Windows Firewall
    connection logging across all firewall profiles. The following commands were
    observed:

    netsh advfirewall set allprofiles logging droppedconnections disable
    netsh advfirewall set allprofiles logging allowedconnections disable

    Disabling these logging settings suppresses Windows Firewall telemetry for both
    blocked and allowed connections, reducing defender visibility into outbound
    command-and-control traffic and other suspicious communications.
  Falsepositives: |
    - Legitimate administrative activity could modify firewall logging settings,
      although disabling both dropped and allowed connection logging across all
      profiles is uncommon.
    - Consider filtering events based on known administrative tools or approved
      change management activity.

 

 

Policy building walkthrough can be found in this previous post:

 

https://connect.securonix.com/threat%2Dresearch%2Dintelligence%2D62/beta%2Ddetection%2Dtelnyx%2Dteampcp%2Dcredential%2Dexfiltration%2D241

H4X

    Terms & ConditionsAccessibility statement