ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR018.004
Created: 23rd July 2024
Updated: 24th July 2024
Platforms: Windows, Linux, MacOS
Contributor: The ITM Team

Modifying a Host-Based Firewall

A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it.

Detection

ID	Name	Description
DT082	Windows Event Log, Local Firewall Changes	Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added. This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed. Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified. This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed. Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted. This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed. Event ID 4950: A Windows Firewall setting has changed. This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.