5025 The Windows Firewall Service has been stopped
Written when the Windows Firewall Service stops. Because stopping defenses leads directly to an attacker securing communication and evading defenses, it draws attention.
Overview
The subcategory is Audit Other System Events. It is generated when the firewall service (MPSSVC) stops. Paired with start 5024, it captures the interval during which the firewall is not in effect.
How it is triggered
- Stopping the firewall service via administration, a service-stop command, shutdown, and so on.
Security review points
- Stopping the firewall is a hallmark of defense evasion that removes communication restrictions in bulk. An attacker may stop the firewall for C2 communication or lateral movement, so investigate stops outside business hours or unplanned at top priority.
- Check whether a start 5024 follows the stop, and whether suspicious communication or logons occurred while stopped. Relate it to a settings change 4950 (profile disabling).
Notes for log review
- It also stops on a normal shutdown. Match the stop time against operational plans and whether a restart followed, and keep unexplained stops.
- Note situations where a stop is not accompanied by a start (defenses stayed down).
Key fields
| Field | Meaning |
|---|---|
Computer | The host |
TimeCreated | The stop time |