ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT082
  • Created: 24th July 2024
  • Updated: 24th July 2024
  • Platform: Windows
  • Contributor: The ITM Team

Windows Event Log, Local Firewall Changes

Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.

This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.

 

Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.

This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4950: A Windows Firewall setting has changed.

This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.

Sections

ID Name Description
PR018Circumventing Security Controls

A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.

PR018.004Modifying a Host-Based Firewall

A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it.