rieskaniemi.com

    yet another it blog

    Block malware with Windows Firewall and Group Policies

    kimmo 12/05/2022
    Lemon Duck Kill chain

    A lot of malware uses common tools built into Windows for downloading payloads from remote servers. (Image Copyright Sophos Labs)

    Many of Antivirus and intrusion detection systems can block these kind of activities but similar protection can be done for no additional costs with Group Policy & Windows Firewall. Blocking PowerShell and other tools from connecting to public IP addresses. Keep in mind some developers might use these tools.

    As always test policy first with small batch of computers.

    Create GPO
    Create new Group policy.
    GPO name
    Give policy a name. I prefer to name mine based on policy type (User policy = POL_U_, Machine policy POL_M_)
    Edit GPO
    Edit your newly created policy
    Outbound firewall rules
    Open Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Outbound Rules
    New firewall rule
    Click on New Rule
    Firewall rule wizard
    Select Program as rule type
    Program path
    Enter program path. (i.e. %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe)
    Block connection setting
    Select block connection
    Profiles selection
    Apply rule to all networks
    Rule naming
    Name it as you want
    Rule listed
    Open rule for further configuration
    Rule settings after creation

    Go to Scope and select These IP addresses under Remote IP address.

    Public IP ranges to rule
    Enter first public IP range to be blocked.

    Repeat adding rest of the public IP ranges:

    1.0.0.0 – 9.255.255.255
    11.0.0.0 – 126.255.255.255
    129.0.0.0 – 169.253.255.255
    169.255.0.0 – 172.15.255.255
    172.32.0.0 – 191.0.1.255
    192.0.3.0 – 192.88.98.255
    192.88.100.0 – 192.167.255.255
    192.169.0.0 – 198.17.255.255
    198.20.0.0 – 223.255.255.255

    Save rule and add another for 64Bit version of PowerShell.

    Continue blocking following software:

    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
    %SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe
    %windir%\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
    %windir%\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe
    %SystemRoot%\System32\wscript.exe
    %SystemRoot%\SysWOW64\wscript.exe
    %SystemRoot%\System32\cscript.exe
    %SystemRoot%\SysWOW64\cscript.exe
    %SystemRoot%\System32\mshta.exe
    %SystemRoot%\SysWOW64\mshta.exe
    %SystemRoot%\System32\regsvr32.exe
    %SystemRoot%\SysWOW64\regsvr32.exe
    %SystemRoot%\System32\rundll32.exe
    %SystemRoot%\SysWOW64\rundll32.exe

    All rules created
    In the end you’ll have something similar as above.
    Testing using powershell
    Testing connection from PowerShell before FW rules applied.
    PowerShell test succesfull
    And with FW rule applied.

    That’s it. Few easy firewall rules can make a big difference.

    Tagged , ,

    1 thought on “Block malware with Windows Firewall and Group Policies

    Leave a Reply

    Your email address will not be published. Required fields are marked *