[New Rule] Windows Firewall Disabled (#1565)

* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2021/10/15"
+maturity = "production"
+updated_date = "2021/11/24"
+
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which attackers do to evade network
+constraints, like internet and network lateral communication restrictions.
+"""
+false_positives = [
+    """
+    Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, 
+    user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from
+    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Windows Firewall Disabled via PowerShell"
+references = [
+    "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
+    "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+    "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+    "http://woshub.com/manage-windows-firewall-powershell/",
+]
+risk_score = 47
+rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.action == "start" and
+  (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
+   process.args : "*Set-NetFirewallProfile*" and
+  (process.args : "*-Enabled*" and process.args : "*False*") and
+  (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*"))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+
+  [[rule.threat.technique.subtechnique]]
+  id = "T1562.004"
+  reference = "https://attack.mitre.org/techniques/T1562/004/"
+  name = "Disable or Modify System Firewall"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+