Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0406: Analytic 0406

Detection of firewall tampering by monitoring processes executing netsh, PowerShell Set-NetFirewallProfile, or sc stop mpssvc. Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy also indicate adversarial actions.

EnterpriseAN0406AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0406 is a Windows detection analytic focused on signs that a process is tampering with host firewall controls. For leaders, the practical issue is not the specific command name; it is whether the organization can prove that endpoint firewall policy changes, service stoppage, or registry-level firewall policy edits are visible quickly enough for SOC and incident response teams to act before defensive visibility or containment assumptions are weakened.

Executive priority

Prioritize this analytic where Windows endpoints or servers depend on local firewall policy as part of resilience, segmentation, remote access control, or incident containment. Executives should ask whether firewall policy changes are logged, monitored, and reviewable as compliance evidence, and whether SOC playbooks distinguish authorized administration from suspicious attempts to disable or weaken host-level defenses.

Technical view

Validate monitoring for Windows processes executing netsh, PowerShell Set-NetFirewallProfile, or sc stop mpssvc, and for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat AN0406 as a detection design requirement rather than a complete rule: confirm process creation telemetry, command-line capture, PowerShell visibility, service-control events, and registry-change auditing are enabled and normalized for alerting and investigation.

Likely telemetry

  • Windows process creation events, including command line where available
  • PowerShell execution telemetry for Set-NetFirewallProfile usage
  • Windows service control telemetry related to the mpssvc service
  • Windows registry modification telemetry for HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  • Endpoint security or EDR records showing parent process, user context, host, and timestamp for firewall-related changes

Detection direction

  • Alert on or review execution of netsh, PowerShell Set-NetFirewallProfile, and sc stop mpssvc in contexts that are not expected for approved administration.
  • Monitor registry writes under the specified FirewallPolicy path and correlate them with the initiating process and user account.
  • Tune for legitimate administrative tools, configuration management, and help desk activity to reduce false positives without suppressing rare or high-risk changes.
  • Validate that command-line, PowerShell, service, and registry telemetry are actually collected on Windows systems; missing command-line or registry auditing is a common blind spot for this analytic.
  • Use local baselines and change windows to separate routine firewall management from potentially adversarial tampering.

Mitigation priorities

  • Define and document approved Windows firewall administration paths and authorized accounts.
  • Restrict who can modify firewall profiles, stop the Windows firewall service, or change firewall policy registry keys.
  • Enable and retain the telemetry needed to investigate process execution, PowerShell activity, service changes, and registry modifications.
  • Review SOC triage procedures so firewall tampering alerts lead to verification of the user, host role, change ticket, and any concurrent suspicious activity.
  • Include firewall-policy monitoring evidence in control validation and compliance readiness where host firewall configuration is in scope.
Analyst notes and limits

The supplied object is a detection analytic for Windows firewall tampering. Its value is strongest as a coverage validation item for SOC engineering and incident response readiness: can the team see host firewall changes, identify who or what made them, and decide whether they were authorized? No relationship context was supplied, so this take does not map the analytic to specific techniques, actors, campaigns, or incident outcomes.

Official detection content is not provided, tactics are not specified, and no relationships are supplied. The object supports Windows-only coverage discussion and the named commands, service, and registry path only. Local environment baselines, administrative procedures, and telemetry availability are required to turn this into a reliable production detection.

Official MITRE ATT&CK definition

Analytic 0406

Detection of firewall tampering by monitoring processes executing netsh, PowerShell Set-NetFirewallProfile, or sc stop mpssvc. Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy also indicate adversarial actions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd6952aeb8384939...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd6952aeb838…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0406
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use