# EventID 2006: Firewall Rule Deleted
This event indicates that a firewall rule has been deleted.
{% hint style="warning" %}
In recent builds of Windows 11, this event has been replaced by a new Event ID:
[EventID 2052: Firewall Rule Deleted](/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11.md)
{% endhint %}
## Analysis Value
{% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %}
[Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
{% endcontent-ref %}
{% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %}
[File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md)
{% endcontent-ref %}
{% content-ref url="/pages/7PsIbY4z0aa7D6FfSddw" %}
[Execution Account](/windows-forensics/artifacts-by-activity/execution/execution-account.md)
{% endcontent-ref %}
{% content-ref url="/pages/qnouj5GLuiwXN3ZPDBUb" %}
[Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md)
{% endcontent-ref %}
{% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %}
[Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md)
{% endcontent-ref %}
{% content-ref url="/pages/Gm5UmJTsXFgVcpGh9nmt" %}
[Firewall Activity](/windows-forensics/artifacts-by-activity/network-activity/firewall-activity.md)
{% endcontent-ref %}
## Operating System Availability
| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11 | ⚠️ | Server 2019 | ✅ |
| Windows 10 | ✅ | Server 2016 | ✅ |
| Windows 8 | ✅ | Server 2012 | ✅ |
| Windows 7 | ✅ | Server 2008 | ✅ |
| Windows Vista | ✅ | Server 2003 | ❌ |
| Windows XP | ❌ | | |
## Artifact Location(s)
* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx`
## Artifact Interpretation
| Field | Interpretation | Reference |
| -------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| `System/Security/UserID` | Provides the Security Identifier (SID) of the account that deleted the firewall rule. | [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) |
| `EventData/ModifyingUser` | Provides the Security Identifier (SID) of the account that deleted the firewall rule. | [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) |
| `EventData/ModifyingApplication` | Provides the full image path of the process that deleted the firewall rule. | [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) |
| `System/Execution/ProcessID` | Provides the Process ID of the application that deleted the firewall rule. | [Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md) |
| `System/Execution/ThreadID` | Provides the Thread ID of the application that deleted the firewall rule. | [Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md) |
The presence of this event indicates that the system's firewall was modified by deleting a rule. This may be indicative of attacker activity. There are many legitimate processes such as `svchost.exe` that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not.
The following additional fields are available in this event:
| XML Path | Interpretation |
| -------------------- | ----------------------------------------------------------------------------- |
| `EventData/RuleId` | The GUID of the deleted firewall rule |
| `EventData/RuleName` | The name for the deleted firewall rule as it appeared in the Windows Firewall |
## Example - Windows 10
On an example system, an existing Windows Firewall rule was deleted from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:
```
-
-
2006
0
4
0
0
0x8000020000000000
6669
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
HLPC01
-
{8736B31E-8792-452E-8D2D-C45621F236AF}
Open SSH Port 22
S-1-5-21-3471133136-2963561160-3931775028-1001
C:\Windows\System32\mmc.exe
```
This example was produced on Windows 10, Version 10.0.19044 Build 19044
## Example - Windows 11
The same activity, when reproduced on a Windows 11 system, results in the following event being logged:
```
-
-
2052
0
4
0
0
0x8000020000000000
552
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
W11
-
{0D458E97-4EC5-4C5C-A5A4-F9F73E769168}
Open SSH Port 22
S-1-5-21-937911350-1118943250-2293061635-1001
C:\Windows\System32\mmc.exe
0
```
This example was produced on Windows 11, Version 10.0.22621 Build 22621
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.