# önder online
Teknoloji ve siber güvenlik dünyasına hoş geldiniz Güncel siber tehditler ve korunma yöntemleri Yapay zekâ ve otomasyonun güvenliğe etkileri Microsoft 365 ve Active Directory güvenlik rehberleri Yazılım geliştirmede güvenlik odaklı yaklaşımlar Teknoloji ve siber güvenlik dünyasına hoş geldiniz Güncel siber tehditler ve korunma yöntemleri

Menu

Bizi Takip Edin

Cyber Security

Windows 11 Güvenlik Duvarı LOLBin Engelleme Script'i

Windows 11 Güvenlik Duvarı LOLBin Engelleme Script'i
26 Nov 2025 Cyber Security 95 10 dakika okuma

Bu PowerShell script'i, Windows 11 sistemlerinde Living Off the Land Binaries (LOLBins) olarak bilinen ve saldırganlar tarafından sıkça kötüye kullanılan Windows sistem dosyaları...

Bu PowerShell script'i, Windows 11 sistemlerinde Living Off the Land Binaries (LOLBins) olarak bilinen ve saldırganlar tarafından sıkça kötüye kullanılan Windows sistem dosyalarının giden trafiğini engelleyerek güvenliği artırmayı hedeflemektedir.

LOLBin Nedir?

LOLBin (Living Off the Land Binary), Windows işletim sisteminde varsayılan olarak bulunan ve kötü amaçlı faaliyetler için kullanılabilen meşru programlardır. Saldırganlar bu araçları kullanarak:

  • Antivirüs tespitinden kaçınabilir
  • AppLocker kontrollerini atlayabilir
  • Command & Control (C2) iletişimi kurabilir
  • Veri sızdırabilir

Script'in Temel Özellikleri

1. Güvenlik Duvarı Profil Sertleştirme

# Tüm profiller için varsayılan engelleme
Set-NetFirewallProfile -Profile Domain,Private,Public `
    -Enabled True `
    -DefaultInboundAction Block `
    -DefaultOutboundAction Allow

2. Kritik Port Engellemeleri

  • SMB (445, 139): Lateral movement engellemesi
  • RDP (3389): Uzaktan erişim güvenliği
  • WinRM (5985/5986): PowerShell remoting koruması
  • RPC (135): WMI/DCOM saldırı vektörü engelleme

3. LOLBin Engellemeleri

 Engellenen LOLBin Listesi ve Riskleri

LOLBin Risk Seviyesi Kötüye Kullanım Senaryoları
PowerShell.exe ⚠️ Kritik Malware indirme, C2 iletişimi, kod çalıştırma
Certutil.exe ⚠️ Yüksek Base64 decode, dosya indirme, sertifika manipülasyonu
Regsvr32.exe ⚠️ Yüksek Proxy execution, DLL yükleme, bypass teknikleri
Rundll32.exe ⚠️ Yüksek DLL çalıştırma, process injection
MSBuild.exe ⚠️ Orta Kod derleme ve çalıştırma
Wmic.exe ⚠️ Yüksek WMI komut çalıştırma, bilgi toplama
Wscript/Cscript ⚠️ Yüksek VBS/JS malware çalıştırma
BitsAdmin.exe ⚠️ Orta Dosya transferi, persistence
Curl.exe ⚠️ Orta Veri sızdırma, dosya indirme
FTP.exe ⚠️ Düşük Dosya transferi

Script'i Güvenli Uygulama

Ön Hazırlık

# 1. Mevcut kuralları yedekle
netsh advfirewall export "C:\Backup\firewall_backup.wfw"

# 2. Script'i test ortamında dene
# Test VM'de çalıştır ve sonuçları gözlemle

# 3. İzin verilecek sunucuları tanımla
$AllowedSMBServers = @(
    "192.168.1.10",  # Domain Controller
    "192.168.1.20"   # File Server
)

Özelleştirilmiş Uygulama

# Organizasyona özel LOLBin ekleme
$CustomLOLBins = @(
    @{ Name = "Block TeamViewer"; Path = "C:\Program Files\TeamViewer\TeamViewer.exe" },
    @{ Name = "Block AnyDesk"; Path = "C:\Program Files\AnyDesk\AnyDesk.exe" }
)

# Script'e ekle
foreach ($item in $CustomLOLBins) {
    Ensure-ProgramBlockRule -Name $item.Name -ProgramPath $item.Path
}

Monitoring ve Logging

PowerShell ile Log Analizi

# Engellenen trafiği izleme
function Get-BlockedTraffic {
    $logPath = "$env:windir\system32\LogFiles\Firewall\pfirewall.log"
    Get-Content $logPath -Tail 100 | 
        Where-Object {$_ -match "DROP"} |
        ConvertFrom-Csv -Delimiter " " |
        Select-Object date, time, action, protocol, src-ip, dst-ip, dst-port
}

# Rapor oluşturma
Get-BlockedTraffic | 
    Group-Object dst-port | 
    Sort-Object Count -Descending |
    Select-Object Count, Name |
    Export-Csv "C:\Reports\blocked_traffic.csv"

Potansiyel Sorunlar ve Çözümleri

1. Meşru Uygulama Engellemeleri

# Whitelist oluşturma
$WhitelistApps = @(
    "C:\Program Files\Microsoft\Exchange Server\*",
    "C:\Program Files\SQL Server\*"
)

# İstisna kuralı ekleme
foreach ($app in $WhitelistApps) {
    New-NetFirewallRule -DisplayName "Allow $app" `
        -Direction Outbound `
        -Program $app `
        -Action Allow `
        -Priority 1
}

2. PowerShell Gereksinimi

# Güvenilir host'lar için izin
$TrustedHosts = @("10.0.0.5", "10.0.0.10")
foreach ($host in $TrustedHosts) {
    New-NetFirewallRule -DisplayName "Allow PowerShell to $host" `
        -Direction Outbound `
        -Program "$env:windir\System32\WindowsPowerShell\v1.0\powershell.exe" `
        -RemoteAddress $host `
        -Action Allow
}

Alternatif Yaklaşımlar

1. AppLocker Entegrasyonu

2. WDAC (Windows Defender Application Control)

# WDAC politikası oluşturma
New-CIPolicy -Level Publisher `
    -FilePath ".\WDAC-Policy.xml" `
    -UserPEs `
    -Deny "C:\Windows\System32\certutil.exe"

Performans Etkisi ve Optimizasyon

# Kural sayısını kontrol et
(Get-NetFirewallRule | Where-Object {$_.DisplayName -like "W11-HARDENING*"}).Count

# Performans metrikleri
Measure-Command {
    Get-NetFirewallRule | Where-Object {$_.Enabled -eq $true}
} | Select-Object TotalMilliseconds

# Optimize edilmiş kural gruplaması
# Tek tek kural yerine grup halinde uygulama
$LOLBinPaths = @(
    "$env:windir\System32\certutil.exe",
    "$env:windir\System32\regsvr32.exe",
    "$env:windir\System32\rundll32.exe"
)

New-NetFirewallRule -DisplayName "Block All LOLBins" `
    -Direction Outbound `
    -Program $LOLBinPaths `
    -Action Block

Değerlendirme Metrikleri

Script Etkinliği Kontrolü

# Test senaryoları
function Test-LOLBinBlocking {
    $tests = @{
        "Certutil" = { certutil.exe -urlcache -f http://example.com/test.txt }
        "PowerShell" = { Invoke-WebRequest -Uri http://example.com }
        "BitsAdmin" = { bitsadmin /transfer test http://example.com/file C:\temp\file }
    }
    
    foreach ($test in $tests.GetEnumerator()) {
        try {
            & $test.Value
            Write-Host "❌ $($test.Key) - BLOCKED FAILED" -ForegroundColor Red
        } catch {
            Write-Host "✅ $($test.Key) - Successfully Blocked" -ForegroundColor Green
        }
    }
}

Güvenlik En İyi Uygulamaları

  1. Kademeli Dağıtım

    • Önce test ortamında uygula
    • Pilot grup ile başla
    • Log'ları analiz et
    • Tüm sisteme yay

  2. Düzenli Güncelleme

    • Yeni LOLBin'leri takip et
    • MITRE ATT&CK güncellemelerini kontrol et
    • Aylık gözden geçirme yap

  3. Kompansatuar Kontroller

    • EDR çözümü kullan
    • Sysmon loglama aktif et
    • SIEM entegrasyonu sağla

Bu script, Defense in Depth stratejisinin önemli bir parçasıdır ve:

  • ✅ C2 iletişimini zorlaştırır
  • ✅ Veri sızdırma riskini azaltır
  • ✅ APT saldırılarına karşı direnç sağlar
  • ✅ CIS ve Microsoft Security Baseline ile uyumludur

Kritik Not: Script'i uygulamadan önce mutlaka:

  1. Test ortamında deneyin
  2. İş kritik uygulamaları belirleyin
  3. Rollback planı hazırlayın
  4. Monitoring altyapısını kurun

Bu yaklaşım, özellikle Zero Trust mimarisi benimseyen organizasyonlar için güçlü bir güvenlik katmanı sağlamaktadır.

<#

.SYNOPSIS

 Windows 11 Pro Firewall Hardening Script

.DESCRIPTION

 Implements firewall hardening recommendations:

 - Secure profile defaults (Domain/Private/Public)

 - Block high-risk inbound ports (SMB, RDP, WinRM, WMI/DCOM, discovery protocols)

 - Restrict outbound SMB to approved servers

 - Block outbound traffic from commonly abused Windows binaries (LOLBins)

 - Disable local firewall rule overrides

.NOTES

 Run as Administrator.

 Test in a lab before broad deployment.

#>

$ErrorActi

# ============================

# CONFIGURABLE SETTINGS

# ============================

# List of file servers allowed to receive outbound SMB (TCP 445) from this workstation.

# Use IP addresses or CIDR ranges. Leave empty to block all outbound SMB. Include Domain Controllers and File Servers here:

$AllowedSMBServers = @(

 # "192.168.10.10",

 # "10.0.0.5"

)

# Whether to block inbound RDP (recommended unless you explicitly use RDP to this PC)

$BlockRDPInbound = $true

# Name prefix for all rules this script manages

$RulePrefix = "W11-HARDEN - "

# ============================

# HELPER FUNCTIONS

# ============================

function Set-FirewallProfileSecure {

 param(

 [Parameter(Mandatory)][ValidateSet("Domain","Private","Public")]

 [string]$ProfileName

 )

 Write-Host "Configuring firewall profile: $ProfileName"

 Set-NetFirewallProfile -Profile $ProfileName `

 -Enabled True `

 -DefaultInboundAction Block `

 -DefaultOutboundAction Allow `

 -NotifyOnListen False `

 -AllowLocalFirewallRules False `

 -AllowLocalIPsecRules False `

 -Verbose:$false

}

function Ensure-PortRule {

 param(

 [Parameter(Mandatory)][string]$Name,

 [Parameter(Mandatory)][ValidateSet("Inbound","Outbound")][string]$Direction,

 [Parameter(Mandatory)][ValidateSet("Allow","Block")][string]$Action,

 [Parameter(Mandatory)][string]$Protocol,

 [Parameter()][string]$LocalPort = "",

 [Parameter()][string]$RemotePort = "",

 [Parameter()][string]$RemoteAddress = "Any"

 )

 $displayName = "$RulePrefix$Name"

 $existing = Get-NetFirewallRule -DisplayName $displayName -ErrorAction SilentlyContinue

 $baseParams = @{

 DisplayName = $displayName

 Direction = $Direction

 Action = $Action

 Enabled = 'True'

 Profile = 'Any'

 }

 if ($existing) {

 Write-Host "Updating rule: $displayName"

 Set-NetFirewallRule -DisplayName $displayName @baseParams -ErrorAction SilentlyContinue | Out-Null

 # Update port filter

 $filterParams = @{

 Protocol = $Protocol

 }

 if ($LocalPort) { $filterParams.LocalPort = $LocalPort }

 if ($RemotePort) { $filterParams.RemotePort = $RemotePort }

 Get-NetFirewallRule -DisplayName $displayName |

 Set-NetFirewallPortFilter @filterParams -ErrorAction SilentlyContinue | Out-Null

 # Update remote address if applicable

 if ($RemoteAddress -and $RemoteAddress -ne "Any") {

 Set-NetFirewallRule -DisplayName $displayName -RemoteAddress $RemoteAddress | Out-Null

 } else {

 Set-NetFirewallRule -DisplayName $displayName -RemoteAddress Any | Out-Null

 }

 }

 else {

 Write-Host "Creating rule: $displayName"

 $newParams = $baseParams.Clone()

 $newParams["Protocol"] = $Protocol

 if ($LocalPort) { $newParams["LocalPort"] = $LocalPort }

 if ($RemotePort) { $newParams["RemotePort"] = $RemotePort }

 if ($RemoteAddress) { $newParams["RemoteAddress"] = $RemoteAddress }

 New-NetFirewallRule @newParams | Out-Null

 }

}

function Ensure-ProgramBlockRule {

 param(

 [Parameter(Mandatory)][string]$Name,

 [Parameter(Mandatory)][string]$ProgramPath

 )

 if (-not (Test-Path $ProgramPath)) {

 Write-Host "Skipping (file not found): $ProgramPath"

 return

 }

 $displayName = "$RulePrefix$Name"

 $existing = Get-NetFirewallRule -DisplayName $displayName -ErrorAction SilentlyContinue

 if ($existing) {

 Write-Host "Updating program block rule: $displayName"

 Set-NetFirewallRule -DisplayName $displayName `

 -Direction Outbound `

 -Action Block `

 -Enabled True `

 -Profile Any `

 -Program $ProgramPath | Out-Null

 }

 else {

 Write-Host "Creating program block rule: $displayName"

 New-NetFirewallRule -DisplayName $displayName `

 -Direction Outbound `

 -Action Block `

 -Enabled True `

 -Profile Any `

 -Program $ProgramPath | Out-Null

 }

}

# ============================

# 1. SECURE FIREWALL PROFILES

# ============================

Set-FirewallProfileSecure -ProfileName Domain

Set-FirewallProfileSecure -ProfileName Private

Set-FirewallProfileSecure -ProfileName Public

# Enable basic logging (you can adjust paths/sizes as needed)

Write-Host "Enabling firewall logging..."

Set-NetFirewallProfile -Profile Domain,Private,Public `

 -LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log' `

 -LogMaxSizeKilobytes 16384 `

 -LogAllowed True `

 -LogBlocked True | Out-Null

# ============================

# 2. INBOUND HARDENING RULES

# ============================

Write-Host "`nConfiguring inbound hardening rules..."

# SMB/CIFS inbound: block

Ensure-PortRule -Name "Inbound Block SMB TCP 445" -Direction Inbound -Action Block -Protocol TCP -LocalPort 445

Ensure-PortRule -Name "Inbound Block SMB TCP 139" -Direction Inbound -Action Block -Protocol TCP -LocalPort 139

Ensure-PortRule -Name "Inbound Block NetBIOS UDP 137" -Direction Inbound -Action Block -Protocol UDP -LocalPort 137

Ensure-PortRule -Name "Inbound Block NetBIOS UDP 138" -Direction Inbound -Action Block -Protocol UDP -LocalPort 138

# RDP inbound (TCP 3389)

if ($BlockRDPInbound) {

 Ensure-PortRule -Name "Inbound Block RDP TCP 3389" -Direction Inbound -Action Block -Protocol TCP -LocalPort 3389

}

# WinRM inbound (5985/5986)

Ensure-PortRule -Name "Inbound Block WinRM TCP 5985" -Direction Inbound -Action Block -Protocol TCP -LocalPort 5985

Ensure-PortRule -Name "Inbound Block WinRM TCP 5986" -Direction Inbound -Action Block -Protocol TCP -LocalPort 5986

# WMI/DCOM RPC endpoint (TCP 135)

Ensure-PortRule -Name "Inbound Block RPC Endpoint Mapper TCP 135" -Direction Inbound -Action Block -Protocol TCP -LocalPort 135

# Discovery / legacy protocols

Ensure-PortRule -Name "Inbound Block SSDP UDP 1900" -Direction Inbound -Action Block -Protocol UDP -LocalPort 1900

Ensure-PortRule -Name "Inbound Block mDNS UDP 5353" -Direction Inbound -Action Block -Protocol UDP -LocalPort 5353

Ensure-PortRule -Name "Inbound Block LLMNR UDP 5355" -Direction Inbound -Action Block -Protocol UDP -LocalPort 5355

Ensure-PortRule -Name "Inbound Block WSD UDP 3702" -Direction Inbound -Action Block -Protocol UDP -LocalPort 3702

Ensure-PortRule -Name "Inbound Block TFTP UDP 69" -Direction Inbound -Action Block -Protocol UDP -LocalPort 69

# (Optional) ICMP echo blocking could be added here if desired.

# ============================

# 3. OUTBOUND SMB RESTRICTIONS

# ============================

Write-Host "`nConfiguring outbound SMB controls..."

# Allow outbound SMB only to approved servers

if ($AllowedSMBServers.Count -gt 0) {

 foreach ($server in $AllowedSMBServers) {

 Ensure-PortRule -Name "Outbound Allow SMB to $server" `

 -Direction Outbound -Action Allow -Protocol TCP -RemotePort 445 -RemoteAddress $server

 }

}

# Block all other outbound SMB

Ensure-PortRule -Name "Outbound Block SMB TCP 445 All" `

 -Direction Outbound -Action Block -Protocol TCP -RemotePort 445 -RemoteAddress "Any"

# ============================

# 4. OUTBOUND DISCOVERY / LEGACY PROTOCOL BLOCKS

# ============================

Write-Host "`nConfiguring outbound discovery protocol blocks..."

Ensure-PortRule -Name "Outbound Block SSDP UDP 1900" -Direction Outbound -Action Block -Protocol UDP -RemotePort 1900

Ensure-PortRule -Name "Outbound Block mDNS UDP 5353" -Direction Outbound -Action Block -Protocol UDP -RemotePort 5353

Ensure-PortRule -Name "Outbound Block LLMNR UDP 5355" -Direction Outbound -Action Block -Protocol UDP -RemotePort 5355

Ensure-PortRule -Name "Outbound Block WSD UDP 3702" -Direction Outbound -Action Block -Protocol UDP -RemotePort 3702

Ensure-PortRule -Name "Outbound Block TFTP UDP 69" -Direction Outbound -Action Block -Protocol UDP -RemotePort 69

# ============================

# 5. OUTBOUND PROGRAM-LEVEL BLOCKS (LOLBINS)

# ============================

Write-Host "`nConfiguring outbound program-level blocks (LOLBins)..."

$system32 = Join-Path $env:WINDIR "System32"

$syswow64 = Join-Path $env:WINDIR "SysWOW64"

$psv1Path = Join-Path $system32 "WindowsPowerShell\v1.0"

$pswowv1 = Join-Path $syswow64 "WindowsPowerShell\v1.0"

$ProgramBlockList = @(

 # PowerShell

 @{ Name = "Block Outbound PowerShell (x64)"; Path = Join-Path $psv1Path "powershell.exe" },

 @{ Name = "Block Outbound PowerShell ISE (x64)"; Path = Join-Path $psv1Path "powershell_ise.exe" },

 @{ Name = "Block Outbound PowerShell (x86)"; Path = Join-Path $pswowv1 "powershell.exe" },

 @{ Name = "Block Outbound PowerShell ISE (x86)"; Path = Join-Path $pswowv1 "powershell_ise.exe" },

 # Windows scripting

 @{ Name = "Block Outbound wscript"; Path = Join-Path $system32 "wscript.exe" },

 @{ Name = "Block Outbound cscript"; Path = Join-Path $system32 "cscript.exe" },

 @{ Name = "Block Outbound mshta"; Path = Join-Path $system32 "mshta.exe" },

 # Downloaders / transfer tools

 @{ Name = "Block Outbound certutil"; Path = Join-Path $system32 "certutil.exe" },

 @{ Name = "Block Outbound bitsadmin"; Path = Join-Path $system32 "bitsadmin.exe" },

 @{ Name = "Block Outbound curl"; Path = Join-Path $system32 "curl.exe" },

 @{ Name = "Block Outbound ftp"; Path = Join-Path $system32 "ftp.exe" },

 @{ Name = "Block Outbound tftp"; Path = Join-Path $system32 "tftp.exe" },

 # WMI and management

 @{ Name = "Block Outbound wmic"; Path = Join-Path $system32 "wbem\wmic.exe" },

 # LOLBins commonly abused for code execution

 @{ Name = "Block Outbound regsvr32"; Path = Join-Path $system32 "regsvr32.exe" },

 @{ Name = "Block Outbound rundll32"; Path = Join-Path $system32 "rundll32.exe" },

 # Dev / build tools

 @{ Name = "Block Outbound MSBuild"; Path = Join-Path $system32 "MSBuild.exe" },

 @{ Name = "Block Outbound msxsl"; Path = Join-Path $system32 "msxsl.exe" },

 # Injection & remote tools

 @{ Name = "Block Outbound mavinject"; Path = Join-Path $system32 "mavinject.exe" },

 # Remote admin / post-ex tools (if present)

 @{ Name = "Block Outbound PsExec"; Path = "C:\Windows\System32\psexec.exe" },

 @{ Name = "Block Outbound PAExec"; Path = "C:\Windows\System32\paexec.exe" },

 # Quick Assist (if present)

 @{ Name = "Block Outbound Quick Assist"; Path = Join-Path $system32 "quickassist.exe" }

)

foreach ($item in $ProgramBlockList) {

 Ensure-ProgramBlockRule -Name $item.Name -ProgramPath $item.Path

}

Write-Host "`nFirewall hardening complete." -ForegroundColor Green
Firewall LOLBin script Windows11

İlgili Yazılar