4948 A rule in the Windows Firewall exception list was deleted

Written when a rule is deleted from the Windows Firewall exception list. It captures opening a defensive gap by removing a block rule.

Overview

The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when a rule is deleted from the exception list. Paired with addition 4946 and modification 4947, it tracks rule changes.

How it is triggered

Deletion of an existing firewall rule (netsh, Remove-NetFirewallRule, the GUI, etc.).

Security review points

Deleting a defensive block rule means re-allowing communication that had been blocked, which can be groundwork for an attack (defense evasion). Check whether the deleted rule was an allow or a block.
An attacker may also later delete an allow rule they added (4946) to erase traces. Cross-reference with the addition and modification history.

Notes for log review

It occurs legitimately during uninstalls and the like. Match the deleted rule’s nature (block/allow) and the deleting subject against normal patterns.
Note deletion of security-important block rules.

Key fields

Field	Meaning
`Rule Name`	The deleted rule
`Modifying Application`	The process that performed the deletion

References

Microsoft Learn: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.