J
jregan8
Essentially we have been seeing many different logs for "A rule was modified" (EVID 4947) in the Windows Firewall, the rule name and rule ID are GUIDs which lead us to believe the rules being modified weren't initially created by a user. When looking for the modified rule on the host itself, the rule seemed to not exist. We then discovered that immediately after being modified, the rule was deleted (EVID 4948), which explains why we couldn't find it on the host.
The logs don't offer much in terms of root-cause. We want to understand why Firewall rules are being modified, then immediately deleted. It should also be noted, we have see the exact same activity except instead of modified, a rule is added then deleted.
My initial theory is that applications are causing this behaviour, or perhaps even GPO rules. It's important for us to understand why this activity is happening and whether it's normal because we would like to monitor when rules are modified/deleted/added outside of normal behaviour - an example use-case being a user/malware creates a firewall exception to communication with a C2C server.
Thanks for any assistance.
Continue reading...
The logs don't offer much in terms of root-cause. We want to understand why Firewall rules are being modified, then immediately deleted. It should also be noted, we have see the exact same activity except instead of modified, a rule is added then deleted.
My initial theory is that applications are causing this behaviour, or perhaps even GPO rules. It's important for us to understand why this activity is happening and whether it's normal because we would like to monitor when rules are modified/deleted/added outside of normal behaviour - an example use-case being a user/malware creates a firewall exception to communication with a C2C server.
Thanks for any assistance.
Continue reading...