LoFP / legitimate admin delete, group policy updates, software installs, security tools, and automated scripts can trigger false positives for event id 4948.

Techniques

• T1562.004

Sample rules

Windows Firewall Rule Deletion

• source: splunk
• technicques:
  • T1562.004

Description

This detection identifies instances where a Windows Firewall rule has been deleted, potentially exposing the system to security risks. Unauthorized removal of firewall rules can indicate an attacker attempting to bypass security controls or malware disabling protections for persistence and command-and-control communication. The event logs details such as the deleted rule name, protocol, port, and the user responsible for the action. Security teams should monitor for unexpected deletions, correlate with related events, and investigate anomalies to prevent unauthorized access and maintain network security posture.

Detection logic

`wineventlog_security` EventCode=4948 
| stats count min(_time) as firstTime max(_time) as lastTime by RuleName signature subject status dest ProcessID 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_firewall_rule_deletion_filter`