Join Us!

Exporting Windows F...
 
Notifications
Clear all

Exporting Windows Firewall Rules  

  RSS
Bunnysniper
(@bunnysniper)
Active Member

Hello,

does anyone know a nice software or script to export Windows Firewall rules from the Registry to a csv file or any other human readable format? Currently i am comparing those rules to check for any anomaly…

best regards,
Robin

Quote
Posted : 23/08/2017 1:44 pm
keydet89
(@keydet89)
Community Legend

If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.

ReplyQuote
Posted : 23/08/2017 2:39 pm
Bunnysniper
(@bunnysniper)
Active Member

If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.

Harlan, i had a look at your Regripper at first -)
Currently i am interested in analyzing the data from

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\FirewallRules\
\RestrictedServices\AppIso\FirewallRules
RestrictedServices\Configurable\System
\RestrictedServices\Static\System

and compare it to
\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules

to detect any added or modified firewall rules.
If you want to modify the existing plugin, you could read the logging configuration from

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile\Logging
\PublicProfile\Logging
\StandardProfile\Logging

That would be nice, a valuable addition for Regripper and a help for me and any other analyst!
The mentioned OS is Windows 10.

best regards, Robin

Edit shortened the registry path and added the OS

ReplyQuote
Posted : 23/08/2017 3:27 pm
keydet89
(@keydet89)
Community Legend

Robin,

If you can share a sample…

Do you have any exemplar data that you can share?

ReplyQuote
Posted : 23/08/2017 5:17 pm
Share: