🔍
Windows Forensic Handbook
  • 👋Welcome
  • Artifacts by Type
    • 🗄️Registry Artifacts
      • Amcache.hve
      • Background Activity Montitor
      • Image File Execution Options Registry Keys
      • System Resource Usage Monitor (SRUM)
      • Run/RunOnce Registry Keys
      • Tracing Registry Keys
      • Services Registry Keys
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
    • 📂Filesystem Artifacts
      • USN Journal
      • Prefetch
      • AutomaticDestinations Jumplists
      • Recycle Bin $I/$R Files
      • Task Scheduler Files
      • Windows Error Reporting Files (.WER)
      • System Resource Usage Monitor (SRUM)
    • 📅Event Log Artifacts
      • Task Scheduler Operational Log
      • TerminalServices-RDPClient
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Security
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
      • System
        • Event ID 7045: Service Installed
      • Microsoft Windows Windows Firewall With Advanced Security
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • TerminalServices-LocalSessionManager
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
      • TerminalServices-RemoteConnectionManager
        • EventID 1149: User Authentication Succeeded
      • Microsoft Windows Shell Core
        • EventID 9707: Command Execution Started
      • Microsoft-Windows-PowerShell
        • EventID 4104: PowerShell Script Block Logging
  • Artifacts by Activity
    • 🏃‍♂️Execution
      • Evidence of Execution
        • Prefetch
        • Amcache.hve
        • System Resource Usage Monitor (SRUM)
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • Windows Error Reporting Files (.WER)
        • Tracing Registry Keys
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • First Executed
        • Prefetch
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Tracing Registry Keys
        • Task Scheduler Operational Log
        • EventID 4104: PowerShell Script Block Logging
      • Last Executed
        • Prefetch
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
      • Command Line Options
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4688: A new process has been created
        • EventID 9707: Command Execution Started
      • Execution Account
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Parent and Child Information
        • EventID 4688: A new process has been created
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • Execution Timestamp
        • Task Scheduler Operational Log
        • EventID 9707: Command Execution Started
    • 🗒️File Activity
      • File Creation
        • USN Journal
      • File Deletion
        • USN Journal
        • Recycle Bin $I/$R Files
      • Last Modified
        • USN Journal
      • File Origin
      • File Size
        • USN Journal
        • Recycle Bin $I/$R Files
      • File Path
        • USN Journal
        • Prefetch
        • Amcache.hve
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Recycle Bin $I/$R Files
        • Image File Execution Options Registry Keys
        • Task Scheduler Files
        • Windows Error Reporting Files (.WER)
        • Run/RunOnce Registry Keys
        • Services Registry Keys
        • Task Scheduler Operational Log
        • Event ID 7045: Service Installed
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • File Hash
        • Amcache.hve
    • 👨‍🔧Account Activity
      • Account Creation Time
      • Group Membership
      • Last Login
      • Login History
        • EventID 4624: An account was successfully logged on
      • Logon ID
        • EventID 4624: An account was successfully logged on
        • EventID 4688: A new process has been created
      • Relative Identifier
      • Security Identifier
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • Recycle Bin $I/$R Files
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
        • Event ID 7045: Service Installed
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Username
        • EventID 4624: An account was successfully logged on
        • AutomaticDestinations Jumplists
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
    • 🌎Network Activity
      • Evidence of Network Activity
        • Tracing Registry Keys
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Destination Identification
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Source Identification
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4624: An account was successfully logged on
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Transmit Volume
        • System Resource Usage Monitor (SRUM)
      • Firewall Activity
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 4104: PowerShell Script Block Logging
      • Wireless Activity
    • 🔍Browser Activity
      • History
        • Firefox places.sqlite Database
      • Bookmarks
        • Firefox places.sqlite Database
      • Stored Passwords/Secrets
    • 🖥️System Enumeration
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
Powered by GitBook
On this page
  1. Artifacts by Type
  2. Event Log Artifacts
  3. Microsoft Windows Windows Firewall With Advanced Security

EventID 2005: Firewall Rule Modified

Last updated 1 year ago

This event indicates that a firewall rule has been modified. The contents of this event will contain the new parameters of the firewall rule.

In recent builds of Windows 11, this event has been replaced by a new Event ID:

EventID 2073: Firewall Rule Modified

Analysis Value

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

⚠️

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Artifact Interpretation

Field
Interpretation
Reference

System/Security/UserID

Provides the Security Identifier (SID) of the account that modified the firewall rule.

EventData/ModifyingUser

Provides the Security Identifier (SID) of the account that modified the firewall rule.

EventData/ModifyingApplication

Provides the full image path of the process that modified the firewall rule.

System/Execution/ProcessID

Provides the Process ID of the application that modified the firewall rule.

System/Execution/ThreadID

Provides the Thread ID of the application that modified the firewall rule.

The presence of this event indicates that the system's firewall was modified by editing a rule. This may be indicative of attacker activity. There are many legitimate processes such as svchost.exe that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not.

The following additional fields are available in this event:

XML Path
Interpretation

EventData/RuleId

A GUID for the firewall rule

EventData/RuleName

The name for the firewall rule as it appears in the Windows Firewall

EventData/Direction

1 for inbound rules and 2 for outbound rules

EventData/Profiles

What profiles (Private/Domain/Public) this rule applies to.

EventData/Active

0 for disabled rules and 1 for enabled rules

EventData/Action

3 for allow and 2 for block

EventData/SecurityOptions

0 for none and 1 for require authentication

EventData/ApplicationPath

If the rule applies only to a specific application it will be listed here

EventData/ServiceName

If the rule applies only to a specific service it will be listed here

Example - Windows 10

On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <System>
		<Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}" />
		<EventID>2005</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000020000000000</Keywords>
		<TimeCreated SystemTime="2023-05-04T17:19:02.0655370Z" />
		<EventRecordID>6668</EventRecordID>
		<Correlation />
		<Execution ProcessID="2352" ThreadID="6516" />
		<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
		<Computer>HLPC01</Computer>
		<Security UserID="S-1-5-19" />
	</System>
-   <EventData>
		<Data Name="RuleId">{8736B31E-8792-452E-8D2D-C45621F236AF}</Data>
		<Data Name="RuleName">Open SSH Port 22</Data>
		<Data Name="Origin">1</Data>
		<Data Name="ApplicationPath"></Data>
		<Data Name="ServiceName" />
		<Data Name="Direction">1</Data>
		<Data Name="Protocol">6</Data>
		<Data Name="LocalPorts">22</Data>
		<Data Name="RemotePorts">*</Data>
		<Data Name="Action">2</Data>
		<Data Name="Profiles">2147483647</Data>
		<Data Name="LocalAddresses">*</Data>
		<Data Name="RemoteAddresses">*</Data>
		<Data Name="RemoteMachineAuthorizationList" />
		<Data Name="RemoteUserAuthorizationList" />
		<Data Name="EmbeddedContext" />
		<Data Name="Flags">0</Data>
		<Data Name="Active">0</Data>
		<Data Name="EdgeTraversal">0</Data>
		<Data Name="LooseSourceMapped">0</Data>
		<Data Name="SecurityOptions">0</Data>
		<Data Name="ModifyingUser">S-1-5-21-3471133136-2963561160-3931775028-1001</Data>
		<Data Name="ModifyingApplication">C:\Windows\System32\mmc.exe</Data>
		<Data Name="SchemaVersion">542</Data>
		<Data Name="RuleStatus">65536</Data>
		<Data Name="LocalOnlyMapped">0</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Example - Windows 11

On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:

- 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <System>
		<Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}" />
		<EventID>2073</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>0</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000020000000000</Keywords>
		<TimeCreated SystemTime="2023-09-27T01:09:54.9122530Z" />
		<EventRecordID>550</EventRecordID>
		<Correlation />
		<Execution ProcessID="2704" ThreadID="3624" />
		<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
		<Computer>W11</Computer>
		<Security UserID="S-1-5-19" />
	</System>
-   <EventData>
		<Data Name="RuleId">{0D458E97-4EC5-4C5C-A5A4-F9F73E769168}</Data>
		<Data Name="RuleName">Open SSH Port 22</Data>
		<Data Name="Origin">1</Data>
		<Data Name="ApplicationPath" />
		<Data Name="ServiceName" />
		<Data Name="Direction">1</Data>
		<Data Name="Protocol">6</Data>
		<Data Name="LocalPorts">22</Data>
		<Data Name="RemotePorts">*</Data>
		<Data Name="Action">3</Data>
		<Data Name="Profiles">2147483647</Data>
		<Data Name="LocalAddresses">*</Data>
		<Data Name="RemoteAddresses">*</Data>
		<Data Name="RemoteMachineAuthorizationList" />
		<Data Name="RemoteUserAuthorizationList" />
		<Data Name="EmbeddedContext" />
		<Data Name="Flags">0</Data>
		<Data Name="Active">0</Data>
		<Data Name="EdgeTraversal">0</Data>
		<Data Name="LooseSourceMapped">0</Data>
		<Data Name="SecurityOptions">0</Data>
		<Data Name="ModifyingUser">S-1-5-21-937911350-1118943250-2293061635-1001</Data>
		<Data Name="ModifyingApplication">C:\Windows\System32\mmc.exe</Data>
		<Data Name="SchemaVersion">544</Data>
		<Data Name="RuleStatus">65536</Data>
		<Data Name="LocalOnlyMapped">0</Data>
		<Data Name="ErrorCode">0</Data>
	</EventData>
</Event>

This example was produced on Windows 11, Version 10.0.22621 Build 22621

Security Identifier
File Path
Execution Account
Parent and Child Information
Evidence of Execution
Firewall Activity
📅
  • Analysis Value
  • Operating System Availability
  • Artifact Location(s)
  • Artifact Interpretation
  • Example - Windows 10
  • Example - Windows 11
Security Identifier
Security Identifier
File Path
Parent and Child Information
Parent and Child Information