Firewall Rules
Overview
Section titled “Overview”Evidence: Firewall Rules
Description: Enumerate Firewall Rules
Category: Network
Platform: windows
Short Name: frwl
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows Firewall (Windows Defender Firewall) controls network traffic to and from the system based on configurable rules. Attackers often modify firewall rules to allow malicious traffic, open backdoors, or disable security controls.
Firewall rules can be configured per-profile (Domain, Private, Public) and can allow or block traffic based on application, port, protocol, and IP address.
Data Collected
Section titled “Data Collected”This collector gathers structured data about firewall rules.
Firewall Rules Data
Section titled “Firewall Rules Data”| Field | Description | Example |
|---|---|---|
Name | Rule name | Block Outbound Telnet |
Description | Rule description | Blocks outbound telnet traffic |
ApplicationName | Application path | C:\Windows\System32\telnet.exe |
ServiceName | Service name | RemoteAccess |
Protocol | IP protocol | TCP |
LocalPort | Local port(s) | 80,443 |
RemotePort | Remote port(s) | Any |
ICMPType | ICMP type and code | 8:* |
Local | Local addresses | Any |
Remote | Remote addresses | Any |
Direction | Traffic direction | In/Out |
Action | Rule action | Allow/Block |
RuleEnabled | Whether rule is active | TRUE |
FirewallProfile | Profile(s) where rule applies | Domain Private Public |
Interface | Network interfaces | |
InterfaceType | Interface type filter | All |
Grouping | Rule group | Remote Desktop |
EdgeTraversal | Edge traversal setting | FALSE |
Collection Method
Section titled “Collection Method”This collector uses the Windows Firewall COM API to:
- Create
INetFwPolicy2instance - Retrieve all firewall rules via
get_Rules - Enumerate each rule and extract configuration details
- Parse application paths and file information
Forensic Value
Section titled “Forensic Value”Firewall rules provide critical evidence for detecting unauthorized network access, backdoors, and security control tampering. Investigators use this data to identify suspicious allow rules for malware, detect disabled security controls, track unauthorized remote access rules, identify data exfiltration paths, detect lateral movement enablers, and correlate firewall changes with security incidents.