EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4946Audit SuccessSecurityT1562.004

Windows Event ID 4946Windows Firewall Exception Added

Logged when a new firewall exception rule is added to the Windows Firewall.

MITRE ATT&CK

Technique

T1562.004 · Disable or Modify System Firewall

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Attackers add firewall exceptions to allow inbound connections for backdoors, C2 (command and control) tools, or remote access. Unexpected inbound allow rules — especially for unusual ports or executables — indicate persistence or C2 setup.

Key Fields

Rule NameThe name given to the exception — attackers often mimic legitimate rule names
ProfileDomain/Private/Public — Public profile exceptions are most dangerous
ApplicationThe path of the allowed application
PortThe port opened — non-standard ports are more suspicious

Investigation Tips

  1. 1.Review the Application path — exceptions for binaries in Temp, AppData, or ProgramData are high-risk.
  2. 2.Compare against the baseline of expected firewall rules from your GPO.
  3. 3.Check 4688 for the process that created the rule — netsh.exe is commonly used.

Related Event IDs

4688Process creation — look for netsh.exe adding the rule

See Event ID 4946 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects windows firewall exception added patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →