detection.wiki

Microsoft-Windows-Security-Auditing › Event 4946

Event ID 4946 — A change has been made to Windows Firewall exception list. A rule was added.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority
Low (Splunk-UBA, others)
Opcode
Info

Description

A change was made to the Windows Firewall exception list. A rule was added.

Message #

A change was made to the Windows Firewall exception list. A rule was added.
	
Profile Changed: %1

Added Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

NameDescription
ProfileChanged UnicodeStringProfile Changed
Known values
%%14644
Public
%%14645
Private
%%14646
Domain
RuleId UnicodeString[Added Rule] Rule ID
RuleName UnicodeString[Added Rule] Rule Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4946,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T19:32:55.589972+00:00",
    "event_record_id": 2601879,
    "correlation": {
      "ActivityID": "83C0A038-97BF-4A37-B9EE-DBA4C42967DF"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "(null),(null)",
    "RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
  },
  "message": ""
}

Community Notes #

Logs rules that open ports or disable filtering. Attackers may add rules to enable implants to communicate with external servers.

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows Firewall Rule Added source: This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.

References #