Windows Event ID 4946 — Windows Firewall Exception Added
Logged when a new firewall exception rule is added to the Windows Firewall.
MITRE ATT&CK
T1562.004 · Disable or Modify System Firewall
Defense Evasion
Why It Matters
Attackers add firewall exceptions to allow inbound connections for backdoors, C2 (command and control) tools, or remote access. Unexpected inbound allow rules — especially for unusual ports or executables — indicate persistence or C2 setup.
Key Fields
Investigation Tips
- 1.Review the Application path — exceptions for binaries in Temp, AppData, or ProgramData are high-risk.
- 2.Compare against the baseline of expected firewall rules from your GPO.
- 3.Check 4688 for the process that created the rule — netsh.exe is commonly used.
Seeing Event ID 4946 in your own logs? Upload an .evtx file — EventPeeker flags windows firewall exception added automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.
Analyze my logs →Related Event IDs
Go deeper: the full Living-Off-the-Land Binary Abuse (LOLBins) guide
Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.
Read the Living-Off-the-Land Binary Abuse (LOLBins) guide →See Event ID 4946 in your logs
Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects windows firewall exception added patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.
Analyze EVTX Logs Free →