detection.wiki

Microsoft-Windows-Security-Auditing › Event 4948

Event ID 4948 — A change has been made to Windows Firewall exception list. A rule was deleted.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority
Low (Splunk-UBA, others)
Opcode
Info

Description

A change was made to the Windows Firewall exception list. A rule was deleted.

Message #

A change was made to the Windows Firewall exception list. A rule was deleted.
	
Profile Changed: %1

Deleted Rule:
	Rule ID: %2
	Rule Name: %3

Fields #

NameDescription
ProfileChanged UnicodeStringProfile Changed
Known values
%%14644
Public
%%14645
Private
%%14646
Domain
RuleId UnicodeString[Deleted Rule] Rule ID
RuleName UnicodeString[Deleted Rule] Rule Name

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4948,
    "version": 0,
    "level": 0,
    "task": 13571,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-11T19:32:55.554379+00:00",
    "event_record_id": 2601866,
    "correlation": {
      "ActivityID": "426D61B7-B34A-40F7-B81E-D2D13DCDAEDA"
    },
    "execution": {
      "process_id": 720,
      "thread_id": 1048
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "(null),(null),(null)",
    "RuleId": "{760971F9-D380-483D-AEA7-31795C69819A}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.27.470.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows Firewall Rule Deletion source: This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.

References #