Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, September 2, 2016 4:46 PM
Hey Scripting Guy!
I am needing to create a firewall rule via script so that I can add blacklist URLs and IP ranges to help prevent Crypto infections to the Windows Firewall. I figure PowerShell ISE is the best way for me to get started but need a kick start.
I would like to be able to block example
bad.cryptolock.ru and others as well as an IP range such as:
146.185.220.1 - 146.185.221.254 or 146.185.220.0/23
I want to deploy this script via my LMI One2Many function to regularly maintain the most recent blacklist decided by the company.
Thanks!
All replies (11)
Friday, September 2, 2016 5:52 PM ✅Answered
Did you post this in the correct place? The Official Scripting Guys Forum! before posting in there read the sticky posts at the top "...this forum is to get answers to scripting questions rather than to ask others to write or rewrite scripts for you". You appear to be asking somebody to do this for you, what have you tried? What errors? What problems?
From an admin PowerShell prompt;
New-NetFirewallRule -DisplayName "_Block 146.185.220.0/23" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress 146.185.220.0/23
Saturday, September 3, 2016 4:03 AM
Yes I posted to the wrong forum but thanks for the example. I was looking for examples to add multiple ip addresses to one rule as well as multiple URL addresses.
Saturday, September 3, 2016 11:59 AM
Multiple addresses can be added comma separated;
New-NetFirewallRule -DisplayName "_Block Rule" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress 146.185.220.0/23,10.0.0.0/23
If does only accept IP address and some keywords (same as the Predefined set of computers section on the Scope tab of a rule) ;
Addresses may be specified as IP addresses, ranges, or subnets. Also, the following address keywords are allowed in certain places:
LocalSubnet, DNS, DHCP, WINS, DefaultGateway, Internet, Intranet, IntranetRemoteAccess, PlayToDevice. Keywords can be restricted to IPv4 or IPv6 by appending a 4 or 6.
Better to block these on the firewall as then only one list needs maintaining.
Friday, October 21, 2016 3:58 AM
Thanks for the share.
What other IP address range that I need to block here ?
/* Server Support Specialist */
Friday, October 21, 2016 4:26 PM | 1 vote
Here are a few info points from thirdtier
1) Block Command and Control IP Ranges
For the most part ransomware has moved on to domain names rather than IP ranges, however it is known that many command and control domains reside in the range 146.185.220.0/23
146.185.220.1 - 146.185.221.254
2) Block Command and Control Domains
Cryptowall 2.0 uses these locations. tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com
Cryptowall 3.0 uses these locations. torforall.com, torman2.com, torwoman.com, and torroadsters.com
Cryptowall 4.0 uses these locations. 3wzn5p2yiumh7akj.partnersinvestpayto.com, 3wzn5p2yiumh7akj.marketcryptopartners.com, 3wzn5p2yiumh7akj.forkinvestpay.com, 3wzn5p2yiumh7akj.effectwaytopay.com, and 3wzn5p2yiumh7akj.onion
These sites are really too numerous to keep up with, however the list above will give you some decent air coverage.
3) Block Country Codes
Just like we prevent email from being delivered from a range of Countries, so too can you prevent outbound access over the Internet to Country codes. You should also consider blocking dark web domain codes like .onion
At a minimum, prevent outbound access to .ru Many of the initial infection sources are from the Russian domain.
Friday, October 21, 2016 4:51 PM
You do not solve anything, they use infected sites to relay mails, you waste your time.
Create a good group policy through SRP, protect your directories, use a good antivirus, install an antivirus on your mail server, restrict right, and most important, create backups on DVD/CD/BR.
By the way, if you want create some code i suggest you to do this:
When an encryption event appear then disable NIC to close connection to remote encryption server.
###################################################
Please click Mark As Answer if my post helped.
Saturday, October 22, 2016 8:16 AM
Many thanks for the sharing, I appreciate your assistance in this matter.
/* Server Support Specialist */
Sunday, October 23, 2016 6:29 AM
You are partly correct. Once you receive the email and click on the link its then that it downloads the script to install the virus, but it has to contact the server to get the encryption key to use. If access to those servers are blocked, nothing happens, it can not activate. I use Avast Endpoint and it does catch suspected Locky and Cryptolock emails, but blocking server access to common ranges is another preventative step. IPs and URLs are blocked on OS Firewall, Router, and Group Policy.
Sunday, October 23, 2016 8:07 AM
For your own good please take into consideration my advice. You will never know IP addresses for command encryption servers. You make confusions, IP address for command servers are stored into attached scripts, when you open such scripts then is executed and create a connection to encryption servers. Which are IPs of those servers?
You have to forbid executionof this scripts.
Tuesday, October 25, 2016 10:50 AM
Yes, that does make sense.
Have you tried that already ?
/* Server Support Specialist */
Tuesday, October 25, 2016 3:12 PM
Yes this is the main layer of protection for my networks. I tried to infect a computer without antivirus, firewall, etc. and I did not succeed. The most important thing is to forbid the execution of scripts that infect your computer. Once infected is very difficult to protect with antivirus, firewall or anything like.
I mention that my network is under intense attack for about 10 months.