Firewall Rules

Overview

Evidence: Firewall Rules Description: Enumerate Firewall Rules Category: System Platform: Windows Short Name: frwl Is Parsed: Yes - Firewall rules are parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Firewall (Windows Defender Firewall) controls network traffic to and from the system based on configurable rules. Attackers often modify firewall rules to allow malicious traffic, open backdoors, or disable security controls.

Firewall rules can be configured per-profile (Domain, Private, Public) and can allow or block traffic based on application, port, protocol, and IP address.

Data Collected

Collection Method

This collector uses the Windows Firewall COM API to:

• Create INetFwPolicy2 instance

• Retrieve all firewall rules via get_Rules

• Enumerate each rule and extract configuration details

• Parse application paths and file information

Usage

Firewall rules provide critical evidence for detecting unauthorized network access, backdoors, and security control tampering. Investigators use this data to identify suspicious allow rules for malware, detect disabled security controls, track unauthorized remote access rules, identify data exfiltration paths, detect lateral movement enablers, and correlate firewall changes with security incidents.

Known Limitations

• Only captures current firewall rules

• Rules can be deleted by attackers to hide evidence

• Third-party firewalls are not captured

• Some rules may be defined via Group Policy

Notes

Pay particular attention to recently created rules (analyze registry timestamps), rules that allow outbound connections from suspicious locations, and rules that disable protection for common attack vectors.