4946 A rule was added to the Windows Firewall exception list
Written when a rule is added to the Windows Firewall exception list. It is an important event for catching an attacker securing a communication path (C2, lateral movement).
Overview
The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when a new rule is added to the firewall exception (allow) list. It includes the added rule’s port, program, direction, and so on.
How it is triggered
- Rule addition via
netsh advfirewall,New-NetFirewallRule, the GUI, Group Policy, and so on.
Security review points
- Attackers add rules allowing inbound/outbound for C2 communication, remote access, or lateral movement (MITRE ATT&CK Impair Defenses / allowing communication). Check the added allow rule’s port (RDP 3389, SMB 445, custom ports, etc.) and program.
- Allows for unexpected programs (an executable in a temp folder, etc.) or additions of outbound allows are notable. Correlate with process creation 4688 to track who added it.
Notes for log review
- Rules are also added legitimately during software installs. Match the added rule’s port, program, and adding subject against normal patterns.
- Alerting narrowed to inbound allows (especially management ports) or allows for unfamiliar programs is effective. Track together with modification 4947 and deletion 4948.
Key fields
| Field | Meaning |
|---|---|
Rule Name | The added rule name |
Port / Protocol / Direction | The allowed communication |
Application Path | The target program |
Modifying Application | The process that added the rule |