firewall.rules

$ target-query <path/to/target> -f firewall.rules

Details

Module	dissect.target.plugins.os.windows.firewall.WindowsFirewallPlugin
Output	records

Module documentation

Windows Firewall plugin.

Function documentation

Return firewall rules saved in the Windows registry.

For a Windows operating system, the Firewall rules are stored in the HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules registry key.

References:

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2efe0b76-7b4a-41ff-9050-1023f8196d16

Yields dynamic records with usually the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
key (string): The rule key name.
version (string): The version field of the rule.
action (string): The action of the rule.
active (boolean): Whether the rule is active.
dir (string): The direction of the rule.
protocol (string): The specified IANA protocol (UDP, TCP, etc).
lport (string): The listening port or range of the rule.
rport (string): The receiving port or range the rule.
profile (string): The Profile field of the rule.
app (string): The App field of the rule.
svc (string): The Svc of the rule.
name (string): The Name of the rule.
desc (string): The Desc of the rule.
embed_ctxt (string): The EmbedCtxt of the rule.