Windows Firewall Rule Added via Event ID 4946

This detection focuses on identifying instances where a Windows Firewall rule is added, as indicated by Event ID 4946 in the Windows Security Event Log. While firewall rule modifications can be legitimate administrative actions, they can also signify unauthorized changes, misconfigurations, or malicious activity. Attackers might modify firewall rules to allow traffic for backdoors, persistence mechanisms, or to facilitate lateral movement within a network. Monitoring these events helps security teams determine if changes align with expected behavior, identify potential security risks, and differentiate between false positives and genuine threats.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
2. The attacker escalates privileges to gain administrative rights on the system.
3. The attacker uses command-line tools (e.g., netsh, PowerShell) or GUI to create a new Windows Firewall rule.
4. Event ID 4946 is generated in the Windows Security Event Log, recording the details of the new firewall rule (RuleName, RuleId, etc.).
5. The newly created firewall rule allows inbound or outbound traffic on a specific port, enabling a backdoor or command-and-control channel.
6. The attacker establishes a connection to the compromised system through the newly opened port.
7. The attacker uses this connection for lateral movement to other systems on the network or for data exfiltration.

Impact

A successful attack involving unauthorized firewall rule modification can lead to several adverse outcomes. Attackers can establish persistent backdoors, enabling long-term access to compromised systems. This can lead to data theft, disruption of services, or further compromise of the network. Identifying unauthorized firewall changes is critical for preventing and mitigating these risks.

Recommendation

• Enable Windows Security Event Log auditing to capture Event ID 4946, ensuring the collection of relevant fields such as RuleName, RuleId, Computer, and ProfileChanged.
• Deploy the Sigma rule “Windows Firewall Rule Added” to your SIEM to detect anomalous firewall rule additions, and tune the rule based on your environment’s baseline.
• Investigate any alerts generated by the Sigma rule “Windows Firewall Rule Added”, correlating with user activity and process execution to distinguish false positives from real threats.
• Monitor for suspicious processes (e.g., netsh.exe, powershell.exe) creating firewall rules.