Windows Firewall Event Logs

Windows Firewall Event Logs for Threat Detection

Windows Firewall logs are a crucial resource for monitoring network activity and detecting potential threats. By focusing on specific Event IDs, security analysts can identify unauthorized changes to firewall rules, attempts to disable the firewall, and other suspicious activities that may indicate malicious behavior such as Command and Control (C2) communication, lateral movement, or data exfiltration.

Key Event IDs for Monitoring Windows Firewall Activity

1. Event ID 2004: Rule Added to Exception List

  • Log Location: Application and Services Logs → Microsoft → Windows → Windows Firewall with Advanced Security → Firewall

  • Details:

    • Triggered when a new firewall rule is added.

    • Provides details about the rule’s name, path, and protocol.

  • Fields of Interest:

    • Rule Name: Indicates the rule’s intended purpose. Watch for generic or suspicious names.

    • Application Path: Verify whether the executable path points to trusted locations (e.g., C:\Windows\System32) or suspicious ones (e.g., user temp folders).

    • Modifying User: Identify if the rule was created by SYSTEM or a specific user account.

    • Protocol and Direction: Focus on outbound rules or protocols like UDP that might indicate C2 communication or data exfiltration.

  • Use Case: Detect unauthorized applications or scripts being allowed through the firewall.

2. Event ID 2005: Rule Modified

  • Log Location: Same as above.

  • Details:

    • Logs any modifications to existing firewall rules.

  • Fields of Interest:

    • Rule ID: Unique identifier to correlate changes with specific rules.

    • Modified Settings: Focus on changes to application paths, protocols, or direction (e.g., changing from inbound to outbound).

  • Use Case: Identify attempts to modify legitimate rules for malicious purposes, such as enabling unauthorized network traffic or maintaining persistence.

3. Event ID 2003: Firewall Disabled

  • Log Location: Same as above.

  • Details:

    • Indicates that the Windows Firewall has been disabled.

  • Key Fields:

    • New Setting Type: "Enable Windows Defender Firewall."

    • Value: A value of "No" indicates the firewall is disabled.

  • Use Case: Detect and investigate attempts to disable firewall protection, which is a significant indicator of an attacker trying to evade detection.

Attack Detection Scenarios

1. Suspicious Application Rules

  • Indicators:

    • Outbound rules allowing uncommon protocols (e.g., UDP).

    • Non-standard ports commonly used for C2 traffic or data exfiltration.

  • Example: A rule named "Windows Update Task" that allows outbound traffic for an executable located in C:\Users\Public\Scripts.

2. Rule Modifications

  • Indicators:

    • Existing rules modified to allow broader access or to point to malicious executables.

    • Legitimate service rules altered to permit backdoor communication.

  • Example: A rule for Remote Desktop modified to allow traffic on a non-standard port, potentially indicating lateral movement.

3. Firewall Disabling

  • Indicators:

    • An unexpected firewall disablement event.

    • Often occurs during or just before large-scale attacks, such as ransomware deployment.

  • Example: Event ID 2003 logs the disabling of the firewall shortly before an increase in suspicious outbound connections.

Mitigation and Response Strategies

1. Real-Time Monitoring

  • SIEM Integration:

    • Use a SIEM solution to monitor and alert on Event IDs 2004, 2005, and 2003.

    • Correlate with other security logs (e.g., login events, PowerShell activity) for a comprehensive view.

2. Regular Firewall Rule Audits

  • Periodically review firewall rules for anomalies or unauthorized modifications.

  • Validate the legitimacy of newly added or modified rules, especially those created by non-administrative users.

3. Limit Administrative Privileges

  • Restrict the ability to create or modify firewall rules to authorized personnel only.

  • Implement role-based access control (RBAC) to minimize the risk of unauthorized changes.

4. Implement Group Policies

  • Use Group Policy Objects (GPOs) to enforce firewall rules and ensure they cannot be disabled by non-privileged users.

  • Configure firewall logging to ensure comprehensive tracking of all rule changes.

5. Incident Response

  • Investigate Immediately: Treat firewall disablement (Event ID 2003) or suspicious rule changes as high-priority incidents.

  • Isolate Affected Systems: Prevent further lateral movement or data exfiltration by isolating compromised machines.

  • Preserve Logs: Ensure logs are forwarded to a secure, remote location to prevent tampering.

Key Points

Windows Firewall event logs are a powerful tool for detecting and responding to malicious activities. By focusing on Event IDs 2004, 2005, and 2003, security teams can identify unauthorized changes to firewall configurations, prevent network-based attacks, and maintain a robust defense posture. Integrating these logs with a SIEM solution and enforcing strict access controls further strengthens an organization’s ability to detect and mitigate threats effectively.

PreviousEvent Log ManipulationNextWindows Defender Event Logs

Last updated