Skip to content

Instantly share code, notes, and snippets.

@rc-MikeDevens

rc-MikeDevens/Windows LOLBAS FW Block.md

Last active September 4, 2022 05:09
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save rc-MikeDevens/f991325ad51b398f8cf68eb63416977f to your computer and use it in GitHub Desktop.
Save rc-MikeDevens/f991325ad51b398f8cf68eb63416977f to your computer and use it in GitHub Desktop.
Download ZIP
Windows firewall rules to block LOLBAS
Raw
Windows LOLBAS FW Block.md

LOLBAS Firewall Block Rules

Many Windows binaries that can be abused by attackers to make undesired network connections do not need network connectivity for 'normal' functionality. With the Windows firewall, we can therefore create rules to block outbound network connections from these binaries as an additional layer of protection.

Note: Depending on your environment, these firewall rules may cause issues. Test before implementing.

These rules have been in place in my personal network without issue:

New-NetFirewallRule -DisplayName "regsvr32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\regsvr32.exe" -Action Block
New-NetFirewallRule -DisplayName "regsvr32 block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\regsvr32.exe" -Action Block
New-NetFirewallRule -DisplayName "mshta block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\mshta.exe" -Action Block
New-NetFirewallRule -DisplayName "mshta block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\mshta.exe" -Action Block
New-NetFirewallRule -DisplayName "bitsadmin block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\bitsadmin.exe" -Action Block
New-NetFirewallRule -DisplayName "bitsadmin block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\bitsadmin.exe" -Action Block
New-NetFirewallRule -DisplayName "certutil block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\certutil.exe" -Action Block
New-NetFirewallRule -DisplayName "certutil block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\certutil.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 3" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 4" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 5" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "Msbuild block 6" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe" -Action Block
New-NetFirewallRule -DisplayName "hh block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\hh.exe" -Action Block
New-NetFirewallRule -DisplayName "hh block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\hh.exe" -Action Block
New-NetFirewallRule -DisplayName "makecab block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\makecab.exe" -Action Block
New-NetFirewallRule -DisplayName "makecab block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\makecab.exe" -Action Block
New-NetFirewallRule -DisplayName "ieexec block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe" -Action Block
New-NetFirewallRule -DisplayName "ieexec block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe" -Action Block
New-NetFirewallRule -DisplayName "Expand block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\Expand.exe" -Action Block
New-NetFirewallRule -DisplayName "Expand block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\Expand.exe" -Action Block
New-NetFirewallRule -DisplayName "extrac32 block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\extrac32.exe" -Action Block
New-NetFirewallRule -DisplayName "extrac32 block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\extrac32.exe" -Action Block

These rules are untested:

New-NetFirewallRule -DisplayName "replace block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\replace.exe" -Action Block
New-NetFirewallRule -DisplayName "replace block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\replace.exe" -Action Block
New-NetFirewallRule -DisplayName "printbrm block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\spool\tools\PrintBrm.exe" -Action Block
New-NetFirewallRule -DisplayName "imewdbld block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\IME\SHARED\IMEWDBLD.exe" -Action Block
New-NetFirewallRule -DisplayName "findstr block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\findstr.exe" -Action Block
New-NetFirewallRule -DisplayName "findstr block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\findstr.exe" -Action Block
New-NetFirewallRule -DisplayName "esentutl block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\System32\esentutl.exe" -Action Block
New-NetFirewallRule -DisplayName "esentutl block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "C:\Windows\SysWOW64\esentutl.exe" -Action Block
New-NetFirewallRule -DisplayName "diantz block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\system32\diantz.exe" -Action Block
New-NetFirewallRule -DisplayName "diantz block 2" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\SysWOW64\diantz.exe" -Action Block
New-NetFirewallRule -DisplayName "desktopimgdownldr block 1" -Group "LOLBAS Block Exp" -Direction Outbound -Program "c:\windows\system32\desktopimgdownldr.exe" -Action Block

Finally, some more aggressive rules:

New-NetFirewallRule -DisplayName "wscript block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\wscript.exe" -Action Block
New-NetFirewallRule -DisplayName "wscript block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\wscript.exe" -Action Block
New-NetFirewallRule -DisplayName "cscript block 1" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\System32\cscript.exe" -Action Block
New-NetFirewallRule -DisplayName "cscript block 2" -Group "LOLBAS Block" -Direction Outbound -Program "C:\Windows\SysWOW64\cscript.exe" -Action Block

Note: I've had this gist on my personal GitHub account for a while and I don't remember where it may have originally come from. If they look familiar to you, I'd love to provide the proper credit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment