![]() Had to add a lot of rules for different applications. We had a transition period, where we would be adding small groups of machines to a group that had GPO enabling firewall. This is calculated by a customer monitor using a PowerShell Script that queries the registry every 15 minutes for the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall. On my previous job we used Symantec Endpoint Protection which had its own firewall, so Windows Firewall was disabled (only used on servers). 'The Windows Firewall (Domain) has been disabled by ']$ $PropertyBag.AddValue("username: ", $objUser.Value) C0014 : Operation Wocao : During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall. S0385 : njRAT : njRAT has modified the Windows firewall to allow itself to communicate through the firewall. $fwoff = Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object netsh can be used to disable local firewall settings. ![]() $PropertyBag.AddValue("FWState",$fwstate) $FWState=(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall If the value for this parameter is a localizable string, then the Group parameter contains an indirect string. The Group parameter specifies the source string for this parameter. #get Windows Domain FW state from Registry Specifies that only matching firewall rules of the indicated group association are modified. $PropertyBag = $ScomAPI.CreatePropertyBag() $ScomAPI = New-Object -comObject "MOM.ScriptAPI" ![]() Hi All, I’ve updated my Windows Domain firewall monitor, it’s a bit crude but it seems to work: param($Arguments) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |