Detections
- Home
- - Detections
- -DT082
- ID: DT082
- Created: 24th July 2024
- Updated: 24th July 2024
- Platform: Windows
- Contributor: The ITM Team
Windows Event Log, Local Firewall Changes
Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.
This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.
Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.
This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.
Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.
This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.
Event ID 4950: A Windows Firewall setting has changed.
This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.
Sections
ID | Name | Description |
---|---|---|
PR018 | Circumventing Security Controls | A subject abuses their access or conducts unapproved changes to circumvent host-based security controls. |
PR018.004 | Modifying a Host-Based Firewall | A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it. |