ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR018.004
  • Created: 23rd July 2024
  • Updated: 24th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Modifying a Host-Based Firewall

A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it.

Detection

ID Name Description
DT082Windows Event Log, Local Firewall Changes

Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.

This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.

 

Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.

This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4950: A Windows Firewall setting has changed.

This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.