This note documents detection patterns related to Windows Firewall Activity within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5156 | Allowed connection | Critical | Most important firewall allow event. Includes process and ports. |
| Security | 5157 | Blocked connection | Critical | Detects denied outbound/inbound traffic. |
| Security | 5152 | Packet dropped | High | Low-level packet filtering evidence. |
| Security | 5153 | Packet allowed | High | Raw packet acceptance event. |
| Security | 4946 | Firewall rule added | Critical | New inbound/outbound rule created. |
| Security | 4947 | Firewall rule modified | Critical | Existing rule altered. |
| Security | 4948 | Firewall rule deleted | Critical | Rule removed. |
| Security | 4949 | Firewall settings restored | High | Firewall restored to default configuration. |
| Security | 4950 | Firewall setting changed | High | General policy modification. |
| Security | 4954 | Firewall Group Policy changed | High | Firewall policy applied through Group Policy. |
| Sysmon | 3 | Network connection | Critical | Strongest process-to-network correlation. |
| Firewall Provider | 2004 | Rule added | Critical | Rule creation (validate channel on target OS). |
| Firewall Provider | 2005 | Rule modified | Critical | Rule changed (validate channel on target OS). |
| Firewall Provider | 2006 | Rule deleted | Critical | Rule removed (validate channel on target OS). |
| Firewall Provider | 2033 | Setting changed | High | Policy altered (validate channel on target OS). |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Rare outbound port | High destination port uncommon for host | High | Possible C2 or exfiltration |
| Internal host unusual target | Lateral movement path | Critical | Suspicious east-west traffic |
| Block immediately followed by allow | Rule tampering | Critical | Policy bypass clue |
| Firewall disabled then activity starts | Defense evasion | Critical | Strong malicious indicator |
| New allow rule for uncommon binary | Persistence | Critical | Often malware staging |
| Repeated dropped outbound attempts | Beacon retry | High | Malware trying fallback |
| SYSTEM process unusual outbound | Privileged abuse | Critical | Often service abuse |
Common Tools
| Tool | Usage |
|---|---|
| netsh advfirewall | Firewall rule management |
| PowerShell NetFirewall* cmdlets | Rule creation / modification |
| wf.msc | GUI firewall management |
| netstat | Connection visibility |
| TCPView | Live process-to-port mapping |
| Sysmon | Process-linked network telemetry |
Relevant Artifacts
-
Security Event IDs 5156, 5157, 5152, 5153
-
Security Event IDs 4946, 4947, 4948, 4950
-
Sysmon Event ID 3
-
Firewall policy files:
%systemroot%\system32\LogFiles\Firewall\pfirewall.log
-
Registry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
-
GPO firewall rules
-
EDR network lineage
MITRE ATT&CK References
-
T1071 Application Layer Protocol
-
T1049 System Network Connections Discovery
-
T1562.004 Disable or Modify Firewall
-
T1021 Remote Services
Decision Tree
- Was traffic allowed or blocked?
- 5156
- 5157
- Which process owns traffic?
- Process ID
- Sysmon correlation
- Destination suspicious?
- External
- Internal lateral
- Rule changed?
- Added
- Modified
- Deleted
- Timing relation:
- Before compromise
- During execution
- Before persistence
- Expand:
- Parent process
- DNS
- File creation
Detection
KQL
SecurityEvent
| where EventID == 5156
| project TimeGenerated, Computer, Application, SourceAddress, DestAddress, DestPort
SecurityEvent
| where EventID in (4946,4947,4948)
| project TimeGenerated, Computer, EventID, Activity
EQL
network where event.code == "5156"
sequence by host.name with maxspan=5m
[ process where true ]
[ network where true ]
Sigma
title: Suspicious Firewall Rule Modification
id: firewall-rule-modification
status: experimental
description: Detects firewall rule creation or modification
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-12
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4946
- 4947
- 4948
condition: selection
fields:
- SubjectUserName
- RuleName
falsepositives:
- Administrator changes
level: high
tags:
- attack.defense_evasion
- attack.t1562.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Firewall auditing | Enable 5156 / 5157 | Critical | Essential visibility |
| Rule monitoring | Alert on 4946-4948 | Critical | Detect policy tampering |
| Egress filtering | Restrict outbound | High | Limits beaconing |
| Rule baseline | Compare against standard | High | Detect rogue entries |
| Sysmon correlation | Process + network | Critical | Strongest investigation path |