Hello,

does anyone know a nice software or script to export Windows Firewall rules from the Registry to a csv file or any other human readable format? Currently i am comparing those rules to check for any anomaly...

best regards,
Robin  

If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.  

- keydet89

If you can share a sample (you didn't mention which version of Windows you're working with) I could write a RegRipper plugin, or extend the current fw_config.pl plugin.

Harlan, i had a look at your Regripper at first
Currently i am interested in analyzing the data from:

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\FirewallRules\
\RestrictedServices\AppIso\FirewallRules
RestrictedServices\Configurable\System
\RestrictedServices\Static\System

and compare it to
\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules

to detect any added or modified firewall rules.
If you want to modify the existing plugin, you could read the logging configuration from:

\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\DomainProfile\Logging
\PublicProfile\Logging
\StandardProfile\Logging

That would be nice, a valuable addition for Regripper and a help for me and any other analyst!
The mentioned OS is Windows 10.

best regards, Robin

Edit: shortened the registry path and added the OS  

Robin,

- Bunnysniper

- keydet89

If you can share a sample...

Do you have any exemplar data that you can share?