Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2043: Analytic 2043

Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.

EnterpriseAN2043AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN2043 is a Windows detection analytic focused on a high-value control point: changes to Windows Defender Firewall that are followed by measurable changes in network exposure. For executives and security leaders, the practical issue is not only that a firewall rule changed, but whether that change weakened segmentation, enabled unexpected inbound access, or allowed outbound communications outside the normal administrative baseline.

Executive priority

Prioritize this analytic where Windows systems support critical business services, regulated workloads, remote administration paths, or incident containment plans. Firewall policy changes can affect operational resilience, audit evidence, and incident response decisions because they may alter which systems are reachable or allowed to communicate. Leaders should ask whether firewall rule and policy changes are logged, reviewed, correlated with network exposure, and tied to approved change activity.

Technical view

SOC and detection teams should validate whether they can correlate Windows Defender Firewall management activity, registry or policy mutation, firewall service state changes, and subsequent inbound or outbound connectivity that differs from baseline administration. Because the supplied ATT&CK object has no tactic, relationship, or official detection logic, implementation should focus on the described behavior rather than assuming a specific adversary phase. IR teams should treat suspicious firewall changes as context for scoping exposure changes and validating whether containment controls remained effective.

Likely telemetry

  • Windows Defender Firewall rule, profile, and policy change events
  • Process execution related to firewall management or policy modification
  • User and administrative account activity associated with firewall changes
  • Registry and local/group policy modification telemetry affecting firewall configuration
  • Windows Defender Firewall service state or configuration changes

Detection direction

  • Correlate firewall configuration changes with the user, process, host, and time window involved rather than alerting on every administrative change in isolation.
  • Compare post-change inbound and outbound connectivity against known administrative baselines to identify meaningful exposure changes.
  • Tune for expected IT operations such as approved policy deployments, maintenance windows, and endpoint management activity to reduce false positives.
  • Validate visibility into both local host changes and centrally applied policy changes, since either may affect Windows Defender Firewall behavior.
  • Investigate cases where firewall service state changes, registry or policy edits, and new network connectivity occur together without an approved change record.

Mitigation priorities

  • Establish and maintain approved baselines for Windows Defender Firewall profiles, policies, and rules on sensitive Windows assets.
  • Restrict who can modify firewall settings and ensure administrative actions are attributable to named users or managed service accounts.
  • Require change control for firewall policy modifications that affect critical systems or regulated environments.
  • Collect and retain firewall configuration, process, policy, registry, service-state, and network telemetry needed to reconstruct exposure changes.
  • Regularly test incident response playbooks to confirm firewall policy changes can be identified, reversed, and explained during containment.
Analyst notes and limits

This object describes a detection analytic, not a technique or confirmed intrusion behavior. Its value comes from correlating control-plane changes with observable network exposure changes. The absence of supplied relationships means no specific ATT&CK technique, software, group, or campaign context should be inferred.

Official detection logic is not provided, tactics are not specified, and no relationship context is supplied. Local baselines, approved administration patterns, and available Windows/network telemetry are required to determine what is suspicious in a given environment.

Official MITRE ATT&CK definition

Analytic 2043

Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c40093336692bb81...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c40093336692…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2043
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use