Goods4CyberSec

A collection of cybersecurity content.

Windows Firewall: Collecting Configuration Evidence

Intro

The Windows Firewall is a host-based feature in Windows OS that helps protect the computer from unauthorized access to the network and the internet. It is used to restrict incoming and outgoing network traffic based on a set of user-defined rules. The firewall monitors the network traffic and blocks any traffic that does not match the defined rules.

Why does it matter?

The Windows Firewall is designed to restrict incoming and outgoing network traffic based on a set of user-defined rules. This helps protect the network and prevent unauthorized access. However, a red team may modify the Windows Firewall rules to further their goals and attempt to breach the network’s security. By modifying the firewall rules, red teams can gain unauthorized access to the network and steal sensitive information or disrupt operations.

A well-configured firewall is an essential tool for preventing unauthorized access and protecting the network from malicious actors and their traffic. To modify the Windows Firewall rules, the red team must have administrative privileges on the computer. This means that they must either have access to an administrative account or exploit a vulnerability in the operating system to gain administrative privileges.

The adversary may create a new rule on the target machine to allow inbound traffic that was otherwise blocked to gain deeper access to sensitive information.

Scenario

Let’s assume at this point an adversary has gained administrative access to a target machine and is now looking for ways to further their goals. They identify a vulnerability in a web server that is not accessible from the target machine, but they realize that they can modify the Windows Firewall rules to allow inbound traffic to the web server over a certain port.

They create a new rule on the target machine to allow inbound traffic to the web server over the specified port and then launches an exploit that takes advantage of the vulnerability in the web server. This allows the red team to gain deeper access to sensitive information and steal confidential data, furthering their goals and compromising the security of the network.

Real-time monitoring of host telemetry and logs is essential for blue teams to detect and respond to malicious actions as they occur. During an incident, additional information beyond logs may be collected to provide additional evidence, such as the current configuration of the firewall on the host. This information can be used to support the investigation by providing a snapshot of the firewall configuration at the time of the incident.

Script

The objective of collecting the firewall configuration is to provide incident response teams with the necessary information to support the incident case and ensure the security of the network moving forward.

This script will output the current Windows firewall configuration to C:\temp\firewall_rules.csv for review.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

$rules = netsh advfirewall firewall show rule name=all
$output = @()
$fields = @("Rule Name", "Enabled", "Direction", "Profiles", "Grouping", "LocalIP", "RemoteIP", "Protocol", "LocalPort", "RemotePort", "Edge traversal", "Action")
$rule = [ordered]@{}

$fieldsToMatch = @{
    "Rule Name" = "Rule Name:";
    "Enabled" = "Enabled:";
    "Direction" = "Direction:";
    "Profiles" = "Profiles:";
    "Grouping" = "Grouping:";
    "LocalIP" = "LocalIP:";
    "RemoteIP" = "RemoteIP:";
    "Protocol" = "Protocol:";
    "LocalPort" = "LocalPort:";
    "RemotePort" = "RemotePort:";
    "Edge traversal" = "Edge traversal:";
    "Action" = "Action:"
}

foreach ($line in $rules) {
    if ($line -match "Rule Name:") {
        if ($rule.Count -gt 0) {
            $output += New-Object PSObject -Property $rule
            $rule.Clear()
        }
        $rule["Rule Name"] = $line.Trim().Split(":")[1].Trim()
    }
    else {
        foreach ($field in $fieldsToMatch.GetEnumerator()) {
            if ($line -match $field.Value) {
                $rule[$field.Key] = $line.Trim().Split(":")[1].Trim()
                break
            }
        }
    }
}

if ($rule.Count -gt 0) {
    $output += New-Object PSObject -Property $rule
}

$output | Select-Object $fields | Export-Csv -Path C:\temp\firewall_rules.csv -NoTypeInformation
Conclusion

Adequate firewall configuration can hinder an attacker’s progress and help prevent a successful breach. It is crucial to implement restrictive host-based firewall configurations to obstruct the attacker’s path.

Blue teams must monitor changes made to the Windows firewall and respond promptly to mitigate the risk of a deeper breach. By implementing appropriate firewall controls and continuously monitoring for changes, blue teams can effectively defend against potential threats.

Posted

in

, , ,

by

goods4cybersec

Tags:

, , , , , , , , , , ,