# EventID 2005: Firewall Rule Modified
This event indicates that a firewall rule has been modified. The contents of this event will contain the new parameters of the firewall rule.
{% hint style="warning" %}
In recent builds of Windows 11, this event has been replaced by a new Event ID:
[evtx-2073-firewall-windows-11](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11 "mention")
{% endhint %}
## Analysis Value
{% content-ref url="../../../artifacts-by-activity/account-activity/security-identifier" %}
[security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/file-activity/file-path" %}
[file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/execution/execution-account" %}
[execution-account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/execution/parent-and-child-information" %}
[parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/execution/evidence-of-execution" %}
[evidence-of-execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution)
{% endcontent-ref %}
{% content-ref url="../../../artifacts-by-activity/network-activity/firewall-activity" %}
[firewall-activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity)
{% endcontent-ref %}
## Operating System Availability
| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11 | ⚠️ | Server 2019 | ✅ |
| Windows 10 | ✅ | Server 2016 | ✅ |
| Windows 8 | ✅ | Server 2012 | ✅ |
| Windows 7 | ✅ | Server 2008 | ✅ |
| Windows Vista | ✅ | Server 2003 | ❌ |
| Windows XP | ❌ | | |
## Artifact Location(s)
* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx`
## Artifact Interpretation
| Field | Interpretation | Reference |
| -------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| `System/Security/UserID` | Provides the Security Identifier (SID) of the account that modified the firewall rule. | [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier "mention") |
| `EventData/ModifyingUser` | Provides the Security Identifier (SID) of the account that modified the firewall rule. | [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier "mention") |
| `EventData/ModifyingApplication` | Provides the full image path of the process that modified the firewall rule. | [file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path "mention") |
| `System/Execution/ProcessID` | Provides the Process ID of the application that modified the firewall rule. | [parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information "mention") |
| `System/Execution/ThreadID` | Provides the Thread ID of the application that modified the firewall rule. | [parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information "mention") |
The presence of this event indicates that the system's firewall was modified by editing a rule. This may be indicative of attacker activity. There are many legitimate processes such as `svchost.exe` that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not.
The following additional fields are available in this event:
| XML Path | Interpretation |
| --------------------------- | ------------------------------------------------------------------------- |
| `EventData/RuleId` | A GUID for the firewall rule |
| `EventData/RuleName` | The name for the firewall rule as it appears in the Windows Firewall |
| `EventData/Direction` | 1 for inbound rules and 2 for outbound rules |
| `EventData/Profiles` | What profiles (Private/Domain/Public) this rule applies to. |
| `EventData/Active` | 0 for disabled rules and 1 for enabled rules |
| `EventData/Action` | 3 for allow and 2 for block |
| `EventData/SecurityOptions` | 0 for none and 1 for require authentication |
| `EventData/ApplicationPath` | If the rule applies only to a specific application it will be listed here |
| `EventData/ServiceName` | If the rule applies only to a specific service it will be listed here |
## Example - Windows 10
On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:
```
-
-
2005
0
4
0
0
0x8000020000000000
6668
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
HLPC01
-
{8736B31E-8792-452E-8D2D-C45621F236AF}
Open SSH Port 22
1
1
6
22
*
2
2147483647
*
*
0
0
0
0
0
S-1-5-21-3471133136-2963561160-3931775028-1001
C:\Windows\System32\mmc.exe
542
65536
0
```
This example was produced on Windows 10, Version 10.0.19044 Build 19044
## Example - Windows 11
On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:
```
-
-
2073
0
4
0
0
0x8000020000000000
550
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
W11
-
{0D458E97-4EC5-4C5C-A5A4-F9F73E769168}
Open SSH Port 22
1
1
6
22
*
3
2147483647
*
*
0
0
0
0
0
S-1-5-21-937911350-1118943250-2293061635-1001
C:\Windows\System32\mmc.exe
544
65536
0
0
```
This example was produced on Windows 11, Version 10.0.22621 Build 22621