search

EventID 2006: Firewall Rule Deleted

This event indicates that a firewall rule has been deleted.

circle-exclamation

In recent builds of Windows 11, this event has been replaced by a new Event ID:

EventID 2052: Firewall Rule Deleted

hashtag
Analysis Value

Security Identifierchevron-rightFile Pathchevron-rightExecution Accountchevron-rightParent and Child Informationchevron-rightEvidence of Executionchevron-rightFirewall Activitychevron-right

hashtag
Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

⚠️

Server 2019

βœ…

Windows 10

βœ…

Server 2016

βœ…

Windows 8

βœ…

Server 2012

βœ…

Windows 7

βœ…

Server 2008

βœ…

Windows Vista

βœ…

Server 2003

❌

Windows XP

❌

hashtag
Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

hashtag
Artifact Interpretation

Field
Interpretation
Reference

System/Security/UserID

Provides the Security Identifier (SID) of the account that deleted the firewall rule.

Security Identifier

EventData/ModifyingUser

Provides the Security Identifier (SID) of the account that deleted the firewall rule.

Security Identifier

EventData/ModifyingApplication

Provides the full image path of the process that deleted the firewall rule.

File Path

System/Execution/ProcessID

Provides the Process ID of the application that deleted the firewall rule.

Parent and Child Information

System/Execution/ThreadID

Provides the Thread ID of the application that deleted the firewall rule.

Parent and Child Information

The presence of this event indicates that the system's firewall was modified by deleting a rule. This may be indicative of attacker activity. There are many legitimate processes such as svchost.exe that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not.

The following additional fields are available in this event:

XML Path
Interpretation

EventData/RuleId

The GUID of the deleted firewall rule

EventData/RuleName

The name for the deleted firewall rule as it appeared in the Windows Firewall

hashtag
Example - Windows 10

On an example system, an existing Windows Firewall rule was deleted from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged:

This example was produced on Windows 10, Version 10.0.19044 Build 19044

hashtag
Example - Windows 11

The same activity, when reproduced on a Windows 11 system, results in the following event being logged:

This example was produced on Windows 11, Version 10.0.22621 Build 22621

Last updated