FirewallHardening tool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
FIREWALLHARDENING

FirewallHardening is a part of the Hard_Configurator project and can be used also as a standalone application among a few others included in the H_C_HardeningTools repository:
https://github.com/AndyFul/ConfigureDefender/tree/master/H_C_HardeningTools

FirewallHardening tool can apply and manage Outbound Block Rules in Windows Firewall by using Windows policies. The restart of Windows is required to apply the configuration changes. On Windows 10, the execution of bitsadmin.exe (LOLBin) can be blocked via Windows built-in Exploit Protection ('Disable win32k system calls').

1643630422250.png


The paths of blocked executables are displayed as a list. Each entry can be managed by using the buttons located at the bottom of the application GUI. The applied rules may be also viewed when using Windows Firewall Advanced settings, but can be managed only by FirewallHardening tool, or by editing the Registry under the key:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules

User Custom Rules Controls allow the user to manage the rules on the BlockList. Please, use the mouse-click and CTRL key to highlight several items on the BlockList. The block of rules can be selected by using the mouse-click to highlight the beginning of the block and then the combination of <Shift> <Down arrow> to select the block.

<Add Rule> button allows adding the rule for any executable.

<Deactivate Rule> button can make the highlighted rules 'Inactive' on the BlockList, but it does not remove them. If the user does not want to block a particular executable (LOLBin) then the rule should be deactivated, but not removed. The 'Inactive' rule will not be changed when adding/updating the rules.

<Block Rule> button changes highlighted 'Inactive' rules to 'Block' rules.

<Remove Rule> button removes the highlighted rules from the BlockList (and Windows Firewall settings). It can be used to remove the users' custom rules. It should not be used to unblock predefined FirewallHardening rules.

The user can add/remove some predefined rules: 'LOLBins', 'MS Office', 'Adobe Acrobat Reader', 'Recommended H_C'. They are visible on the right of the application GUI.

« 'LOLBins' rules are related to Living Of The Land executables from system folders, which are known to be commonly abused by malc0ders.

« 'MS Office' and 'Adobe Acrobat Reader' rules are related to Word, Excel, PowerPoint, Equation Editor, and Acrobat Reader applications.

« 'Recommended H_C' is a part of 'LOLBins’. These rules are suited to users who installed the Hard_Configurator Windows hardening application and applied the <Recommended Settings>.


Using the FirewallHardening Log of blocked events.

The user can enable auditing Windows Firewall with Advanced Security in category 'Object Access' and subcategory 'Audit Filtering Platform Connection' (Event Id=5157). This can be done by choosing the radio button 'ON', under 'Start logging events'.
If auditing is enabled, then the blocked events can be filtered from Windows Security Log by pressing the <Blocked Events> button, visible under the OFF/ON radio buttons. The Security Log can store these events for several hours (usually 48 hours).

Please note, that <Blocked Events> output can show only the events related to the current FirewallHardening BlockRules. After deactivating or removing a particular rule, the blocked events caused by this rule are skipped in the <Blocked Events> output. If the FirewallHardening BlockList is empty or all rules are inactive, then the <Blocked Events> output will not include any blocked event.


Loading and saving BlockLists.

'BlockList' <Load> and <Save> buttons allow using several BlockLists from the *.fhbl files. The new FirewallHardening version is usually published with the file 'UpdateFirewallRules.fhbl' that contains the new rules. Each rule starts with terms: Block : , Inactive : , Block!: , Inactive!:

The exclamation mark means that the file path is not checked, so the rule will be added even if the file does not exist on the disk. The rule without exclamation mark is checked, and if the file is not on the disk in the required location, the rule will be skipped. But on Windows 32-bit, rules related to Windows 64-bit are always ignored (not loaded), even rules with the exclamation mark.

The rules can include the known Windows environment variables like:
%SystemRoot%
%ProgramData%
%ProgramFiles%
%ProgramFiles(x86)%
%SystemDrive%

FirewallHardening can also accept a few custom variables like:
%System32% (usually C:\Windows\System32),
%SysWOW64% (usually C:\Windows\SysWOW64),
%Framework% (usually C:\Windows\Microsoft.NET\Framework),
%Framework64% (usually C:\Windows\Microsoft.NET\Framework64),
%PowerShell% (usually C:\Windows\System32\WindowsPowerShell\v1.0),
%PowerShell64% (usually C:\Windows\SysWOW64\WindowsPowerShell\v1.0)

It may happen that the rule included in the file 'UpdateFirewallRules.fhbl' may be already on the FirewallHardening BlockList. In such a case the new rule will be skipped. Other new rules are initially added at the end of the FirewallHardening BlockList, but after running the tool a second time all rules are sorted, so the 'Block' rules are at the beginning and 'Inactive' rules at the end. The 'Inactive' rules are related to LOLBins that are not included in the 'Recommended H_C' preset.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
Can we block any .exe ('Disable win32k system calls') using this tool or we have to do it from windows defender

The Exploit Protection mitigation "Disable win32 system calls" is used exceptionally in FirewallHardening for Bitsadmin LOLBin. Other EXE files have to be blocked (if necessary) via Security Center or another tool.

I used this unconventional method for Bitsadmin LOLBin because it only starts the process of making an outbound connection:
bitsadmin.exe --> BITS --> svchost.exe --> outbound connection

So, one could only block svchost.exe in the firewall to prevent the outbound connections started by bitsadmin.exe. It would not be safe to block connections of svchost.exe because it hosts many services. On the contrary, the starting process bitsadmin.exe can be killed safely and the effect will be the same as if it would be possible to block it by the firewall.
 
Last edited:

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
These are all lolbins that can use BITS

c:\Windows\SysWOW64\bitsadmin.exe
c:\Windows\System32\MDMAppInstaller.exe
c:\Windows\System32\DeviceEnroller.exe
c:\Windows\SysWOW64\OneDriveSetup.exe
c:\Windows\System32\ofdeploy.exe
c:\Windows\System32\directxdatabaseupdater.exe
c:\Windows\System32\MRT.exe (x)
c:\Windows\System32\aitstatic.exe
c:\Windows\System32\desktopimgdownldr.exe
c:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe
c:\Windows\System32\RecoveryDrive.exe
c:\Windows\System32\svchost.exe (BITS service)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
Any executable can use BITS if the proper code has been injected, like in the below example for notepad:

1644337175741.png



None of the executables mentioned in the article (except Bitsadmin) were used in the wild. Even PowerShell connections via BITS are uncommon in the attacks (mostly other methods are used). There is a known way to abuse desktopimgdownldr.exe, but I am not aware how one could abuse other mentioned executables having only standard privileges. Furthermore, blocking them via Exploit Protection could have unpredictable side effects. Bitsadmin is used only by Administrators and rarely by some applications, but never by system processes.
Anyway, It would be interesting to find somewhere comprehensive information about these programs.(y)
 
Last edited:

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
As a test on windows 11 i deleted Bits Service using this command => sc.exe Delete BITS

Windows update is working with no problem but lolbins and other programs that use BITS aren't working. If we check windows update service dependencies BITS is not in the list.

Hackers can bypass this by simply Reinstalling BITS using this command

sc create BITS type= share start= delayed-auto binPath= "C:\Windows\System32\svchost.exe -k netsvcs" tag= no DisplayName= "Background Intelligent Transfer Service"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
What i did in my computer is first Delete BITS service then blocked sc.exe using "Disable win32 system calls"

Blocking sc.exe can make the hacker's life harder, but it is a very popular admin tool. If you want to block more then look at the Hard_Configurator option <Block Sponsors>:

The advantage of using SRP to block LOLBins is that the blocked events can be easily seen in the SRP blocked events. So, you can quickly find out and solve the issue. It is usually hard to see what was blocked by Exploit Protection - usually, you will often see conhost.exe which is triggered for most console tools.

Edit.
BITS can be enabled via modification of the Windows Registry.
 
Last edited:

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
The advantage of using SRP to block LOLBins is that the blocked events can be easily seen in the SRP blocked events. So, you can quickly find out and solve the issue. It is usually hard to see what was blocked by Exploit Protection - usually, you will often see conhost.exe which is triggered for most console tools.

then why not use SRP in this tool instead of Exploit Protection


BITS can be enabled via modification of the Windows Registry.

We can block registry access with gpedit.msc
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
then why not use SRP in this tool instead of Exploit Protection

Because FirewallHardening is a part of Hard_Configurator and Hard_Configurator can block LOLBins. If you want to block LOLBins then simply use Hard_Configurator set to default allow and next use <Block Sponsors> + FirewallHardening - you will get exactly what you asked for.

1644414032244.png


We can block registry access with gpedit.msc

You cannot block the Registry access to applications (it would not be reasonable). You can only block some known LOLBins (like H_C can do).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
is this works if i use comodo or kaspersky firewall?
If I correctly remember Comodo Firewall can work with Windows Firewall enabled.
You can check if Windows Firewall works by adding a web browser executable to the FirewallHardening blocklist. After restarting Windows try to browse the Internet with this web browser. If you can browse then Windows Firewall is disabled.
 

Back3

Level 13
Verified
Top poster
Apr 14, 2019
606
Let's say I install FirewallHardening app. Then add LOLBins and Recommended H_C. After that, I go to the Windows Firewall and make a backup of my outbound rules.
If I remove all the rules in FirewallHardening, normally those rules disappear in the Windows Firewall. If a few days later I restore my backup without installing FH, will I get my outbound rules?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,238
Let's say I install FirewallHardening app. Then add LOLBins and Recommended H_C. After that, I go to the Windows Firewall and make a backup of my outbound rules.
If I remove all the rules in FirewallHardening, normally those rules disappear in the Windows Firewall. If a few days later I restore my backup without installing FH, will I get my outbound rules?
No. Windows Firewall can see the rules added by policies but cannot export/import them. You have to use FirewallHardening to save/load the rules. The rules can be also managed by exporting/importing the firewall policy registry key via regedit.exe. The rules are stored here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
 
Top