±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35765
New Yesterday: 3 Visitors: 122

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exporting Windows Firewall Rules

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Bunnysniper
Senior Member
 

Exporting Windows Firewall Rules

Post Posted: Aug 23, 17 12:44

Hello,

does anyone know a nice software or script to export Windows Firewall rules from the Registry to a csv file or any other human readable format? Currently i am comparing those rules to check for any anomaly...

best regards,
Robin  
 
  

keydet89
Senior Member
 

Re: Exporting Windows Firewall Rules

Post Posted: Aug 23, 17 13:39

If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.  
 
  

Bunnysniper
Senior Member
 

Re: Exporting Windows Firewall Rules

Post Posted: Aug 23, 17 14:27

- keydet89
If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.


Harlan, i had a look at your Regripper at first Smile
Currently i am interested in analyzing the data from:

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\FirewallRules\
\RestrictedServices\AppIso\FirewallRules
RestrictedServices\Configurable\System
\RestrictedServices\Static\System

and compare it to
\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules

to detect any added or modified firewall rules.
If you want to modify the existing plugin, you could read the logging configuration from:

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile\Logging
\PublicProfile\Logging
\StandardProfile\Logging

That would be nice, a valuable addition for Regripper and a help for me and any other analyst!
The mentioned OS is Windows 10.

best regards, Robin

Edit: shortened the registry path and added the OS  
 
  

keydet89
Senior Member
 

Re: Exporting Windows Firewall Rules

Post Posted: Aug 23, 17 16:17

Robin,

- Bunnysniper
- keydet89
If you can share a sample...



Do you have any exemplar data that you can share?  
 

Page 1 of 1