# Windows Firewall Event Logs ## **Windows Firewall Event Logs for Threat Detection** Windows Firewall logs are a crucial resource for monitoring network activity and detecting potential threats. By focusing on specific **Event IDs**, security analysts can identify unauthorized changes to firewall rules, attempts to disable the firewall, and other suspicious activities that may indicate malicious behavior such as **Command and Control (C2)** communication, **lateral movement**, or **data exfiltration**. *** ## **Key Event IDs for Monitoring Windows Firewall Activity** ### **1. Event ID 2004: Rule Added to Exception List** * **Log Location**:\ Application and Services Logs → Microsoft → Windows → Windows Firewall with Advanced Security → Firewall * **Details**: * Triggered when a **new firewall rule** is added. * Provides details about the rule’s **name, path, and protocol**. * **Fields of Interest**: * **Rule Name**: Indicates the rule’s intended purpose. Watch for generic or suspicious names. * **Application Path**: Verify whether the executable path points to trusted locations (e.g., `C:\Windows\System32`) or suspicious ones (e.g., user temp folders). * **Modifying User**: Identify if the rule was created by **SYSTEM** or a specific user account. * **Protocol and Direction**: Focus on **outbound rules** or protocols like **UDP** that might indicate C2 communication or data exfiltration. * **Use Case**:\ Detect unauthorized applications or scripts being allowed through the firewall. ### **2. Event ID 2005: Rule Modified** * **Log Location**:\ Same as above. * **Details**: * Logs any **modifications** to existing firewall rules. * **Fields of Interest**: * **Rule ID**: Unique identifier to correlate changes with specific rules. * **Modified Settings**: Focus on changes to application paths, protocols, or direction (e.g., changing from inbound to outbound). * **Use Case**:\ Identify attempts to modify legitimate rules for malicious purposes, such as enabling unauthorized network traffic or maintaining persistence. ### **3. Event ID 2003: Firewall Disabled** * **Log Location**:\ Same as above. * **Details**: * Indicates that the **Windows Firewall** has been **disabled**. * **Key Fields**: * **New Setting Type**: "Enable Windows Defender Firewall." * **Value**: A value of **"No"** indicates the firewall is disabled. * **Use Case**:\ Detect and investigate attempts to **disable firewall protection**, which is a significant indicator of an attacker trying to evade detection. *** ## **Attack Detection Scenarios** ### **1. Suspicious Application Rules** * **Indicators**: * Outbound rules allowing uncommon protocols (e.g., **UDP**). * Non-standard ports commonly used for **C2 traffic** or **data exfiltration**. * **Example**:\ A rule named **"Windows Update Task"** that allows outbound traffic for an executable located in **`C:\Users\Public\Scripts`**. ### **2. Rule Modifications** * **Indicators**: * Existing rules modified to allow broader access or to point to **malicious executables**. * Legitimate service rules altered to permit **backdoor communication**. * **Example**:\ A rule for **Remote Desktop** modified to allow traffic on a non-standard port, potentially indicating **lateral movement**. ### **3. Firewall Disabling** * **Indicators**: * An unexpected **firewall disablement event**. * Often occurs during or just before large-scale attacks, such as **ransomware deployment**. * **Example**:\ Event ID 2003 logs the disabling of the firewall shortly before an increase in suspicious outbound connections. *** ## **Mitigation and Response Strategies** ### **1. Real-Time Monitoring** * **SIEM Integration**: * Use a **SIEM** solution to monitor and alert on **Event IDs 2004**, **2005**, and **2003**. * Correlate with other security logs (e.g., **login events**, **PowerShell activity**) for a comprehensive view. ### **2. Regular Firewall Rule Audits** * Periodically review **firewall rules** for anomalies or unauthorized modifications. * Validate the legitimacy of newly added or modified rules, especially those created by non-administrative users. ### **3. Limit Administrative Privileges** * Restrict the ability to **create** or **modify firewall rules** to **authorized personnel** only. * Implement **role-based access control (RBAC)** to minimize the risk of unauthorized changes. ### **4. Implement Group Policies** * Use **Group Policy Objects (GPOs)** to enforce firewall rules and ensure they cannot be disabled by non-privileged users. * Configure **firewall logging** to ensure comprehensive tracking of all rule changes. ### **5. Incident Response** * **Investigate Immediately**: Treat firewall disablement (Event ID 2003) or suspicious rule changes as high-priority incidents. * **Isolate Affected Systems**: Prevent further lateral movement or data exfiltration by isolating compromised machines. * **Preserve Logs**: Ensure logs are forwarded to a secure, remote location to prevent tampering. *** ## **Key Points** Windows Firewall event logs are a powerful tool for detecting and responding to malicious activities. By focusing on **Event IDs 2004**, **2005**, and **2003**, security teams can identify unauthorized changes to firewall configurations, prevent network-based attacks, and maintain a robust defense posture. Integrating these logs with a **SIEM** solution and enforcing strict access controls further strengthens an organization’s ability to detect and mitigate threats effectively. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/event-log-analysis/windows-firewall-event-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.