DET0901: Detect Windows Firewall
DET0901 is a MITRE detection strategy for changes to the Windows host firewall, related to ATT&CK technique T1686.003 under defense impairment. The busines...
Analyst context for executives and security teams
DET0901 is a MITRE detection strategy for changes to the Windows host firewall, related to ATT&CK technique T1686.003 under defense impairment. The business significance is that firewall tampering can weaken host-level network controls and reduce confidence in containment, segmentation, and endpoint hardening assumptions during an incident.
Executive priority
Security leaders should treat Windows firewall visibility as an operational resilience and incident-readiness control, not just an endpoint configuration issue. Priority questions include: can the organization prove when Windows firewall profiles or rules are disabled or modified, can SOC and IR teams distinguish approved administration from suspicious defense impairment, and is that evidence available for audit, compliance, and post-incident review?
Technical view
The supplied ATT&CK object has no official description, platform list, tactics, or detection text, but its relationship to T1686.003 anchors it to Windows Host Firewall behavior in the defense-impairment tactic. SOC and detection teams should validate monitoring for Windows firewall state changes, profile suppression, and rule creation, deletion, or modification. IR teams should confirm they can reconstruct who or what changed firewall configuration, when it changed, and whether the change affected domain, private, or public profiles.
Likely telemetry
- Windows host firewall configuration state and profile status
- Firewall rule add, delete, and modify events
- Endpoint management or configuration-management change records
- Windows security, system, and administrative logs relevant to firewall policy changes
- Process, user, and command/context telemetry associated with firewall configuration changes
Detection direction
- Baseline expected Windows firewall profiles and approved rule-management activity so detections can separate normal administration from suspicious impairment.
- Alert on disabling the Windows host firewall, suppressing domain/private/public profiles, or unexpected rule changes, especially when performed outside change windows or by unusual users/processes.
- Correlate firewall changes with other defense-impairment signals and incident timelines rather than treating every rule change as malicious.
- Validate log retention and centralization; a common blind spot is discovering during IR that endpoint-local firewall changes were not collected or were overwritten.
- Tune for administrative noise from endpoint management, troubleshooting, and software installation while preserving visibility into high-risk changes.
Mitigation priorities
- Define and enforce approved Windows firewall policy ownership and change-control paths.
- Centralize collection of firewall configuration and rule-change evidence from Windows endpoints.
- Use least privilege for accounts and tools that can modify local firewall settings.
- Regularly test whether SOC and IR teams can detect and investigate firewall disablement or rule tampering using collected telemetry.
- Maintain audit-ready records showing baseline policy, authorized exceptions, and investigated deviations.
Analyst notes and limits
This take is based on the DET0901 detection strategy metadata and its stated relationship to T1686.003 Windows Host Firewall. Because MITRE provides no official detection text for this object in the supplied fields, the guidance is framed as validation direction rather than a specific analytic rule.
The object does not specify platforms, tactics, aliases, labels, description, or detection content. Windows relevance is derived from the related technique context only. Local endpoint architecture, logging policy, EDR capability, and administrative processes are required to determine actual coverage and priority.
Detect Windows Firewall
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | This object detects Windows Host Firewall. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 503211221c55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0901Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.