CRWD-HBFW is a light-weight, powershell module that helps you debug and analyze the Windows Filtering Platform in the context of the CrowdStrike Falcon HostBased Firewall.
CrowdStrike Falcon's Host-based firewall is a module from the CrowdStrike Endpoint Protection Platform. It is enabled through the cs-agent located on the endpoint, and controlled through a channel file delivered to the endpoint.
CrowdStrike Firewall can have many network locations, and the agent will remove or add WFP filters based on the network location which is currently active.
This PS module is designed to help understand the current WFP active filters on a Windows Host with CrowdStrikes Falcon HostBased Firewall enabled.
Note: CRWD-HBFW v2.0 uses native Windows Filtering Platform (WFP) APIs via P/Invoke to Fwpuclnt.dll or alternatively netsh wfp. No external module dependencies are required.
PowerShell install new modules from the public PSGallery repository
Get-PSRepository
Set-PSRepository -Name 'PSGallery' -InstallationPolicy TrustedTo install, run the following from an elevated powershell shell:
Install-Module crwd-hbfwNow the Get-CrwdHbfw command should be available.
You can validate and get more info via the help command:
PS> Get-Help Get-CrwdHbfw
NAME
Get-CrwdHbfw
SYNOPSIS
Enumerate CrowdStrike Host-Based Firewall (WFP) filters with optional filtering.
SYNTAX
Get-CrwdHbfw [[-ActionType] <String>] [[-Id] <String>] [[-RuleType] <String>] [[-LPort] <String>] [[-RPort] <String>] [[-LIP] <String>]
[[-RIP] <String>] [[-Protocol] <String>] [[-AppId] <String>] [<CommonParameters>]
DESCRIPTION
Get-CrwdHbfw queries the Windows Filtering Platform (WFP) engine via
FwpmFilterEnum0 and returns filters created by the CrowdStrike Falcon sensor.
Filters are returned as CRWDFWFilter objects. Results can be narrowed by
action type, rule type, filter ID, local/remote port, local/remote IP address,
IP protocol, or application path.
By default (RuleType '[default]') the function returns Persistent+Indexed
filters, which represent the active CrowdStrike policy rules. Use
-RuleType 'BootTime, Indexed' to enumerate boot-time filters instead.
Requires Windows 10/11 or Windows Server 2016+, an elevated (Administrator)
session, the Base Filtering Engine (BFE) service running, and the CrowdStrike
Falcon sensor installed.
RELATED LINKS
Format-CrwdHbfw
REMARKS
To see the examples, type: "get-help Get-CrwdHbfw -examples".
For more information, type: "get-help Get-CrwdHbfw -detailed".
For technical information, type: "get-help Get-CrwdHbfw -full".
For online help, type: "get-help Get-CrwdHbfw -online"You must use an * elevated rights (Run as Administrator)* powershell session:
PS > Get-CrwdHbfw
FwpmEngineOpen0 failed with error 0x80070005. Ensure you are running as Administrator.Note: MS Defender should not alert on this module as it no longer depends on NtObjectManager.
Get-CrwdHbfw is the main function of the module. It is a wrapper around the native Windows Filtering Platform (WFP) APIs and its output is filtered to only show the filters that are relevant to CrowdStrike HostBased Firewalls implemented by WFP.
Provided Benefits:
- CRWDFWFilter objects are returned
- You can use
Format-Table,Format-Wide,Format-List,Format-CustomorFormat-CrwdHbfwto format the output - You can use
Where-Object, andSort-Objectto filter the output Detailsis a META property that contains the details of the FWPM_Condition filter in a human readable format when usingFormat-Table.
PS > Get-CrwdHbfw -ActionType 'Permit' -LPort 3389 -Protocol Tcp | Format-Table
Rule Type Action Type Id Details
--------- ----------- -- -------
Persistent, Indexed Permit 110555 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3389|IP_PROTOCOL: Tcp|> Get-CrwdHbfw -ActionType 'Permit' -LPort 3389 | Sort-Object | Format-Table
Rule Type Action Type Id Details
--------- ----------- -- -------
Persistent, Indexed Permit 110507 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3389|IP_PROTOCOL: Udp|
Persistent, Indexed Permit 110555 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3389|IP_PROTOCOL: Tcp|Slice an Array of CRWDFWFilter
PS > (Get-CrwdHbfw -ActionType 'Permit')[0] | Format-Table
Rule Type Action Type Id Details
--------- ----------- -- -------
Persistent, Indexed Permit 110555 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3389|IP_PROTOCOL: Tcp|Format-CrwdHbfw is a custom formatter for the output of CRWDFWFilter types. It is not used by default, but can be used to format the output of Get-CrwdHbfw.
Added Benefits:
- Id is shown in decimal and hex
FWPM_CONDITION_*are shown as their names and values, with the exception of FWPM_CONDITION_FLAGS, which is shown as a list of flagsFWPM_CONDITION_*are sorted by their name after the Core Key Properties (Id, RuleType, ActionType, EffectiveWeight)- Either a single filter or a list of filters can be piped to
Format-CrwdHbfw
PS > (Get-CrwdHbfw)[0] | Format-CrwdHbfw
ActionType: Permit
EffectiveWeight: 1152921504606856098
Id: 110555 [HEX: 0x1AFDB]
RuleType: Persistent, Indexed
FWPM_CONDITION_FLAGS: FlagsNoneSet:IsLoopback
FWPM_CONDITION_IP_LOCAL_PORT: 3389
FWPM_CONDITION_IP_PROTOCOL: Tcp
PS > Get-CrwdHbfw -ActionType 'Permit' -LPort 3389 | Format-CrwdHbfw
ActionType: Permit
EffectiveWeight: 1152921504606856098
Id: 110555 [HEX: 0x1AFDB]
RuleType: Persistent, Indexed
FWPM_CONDITION_FLAGS: FlagsNoneSet:IsLoopback
FWPM_CONDITION_IP_LOCAL_PORT: 3389
FWPM_CONDITION_IP_PROTOCOL: Tcp
ActionType: Permit
EffectiveWeight: 1152921504606856097
Id: 110507 [HEX: 0x1AFAB]
RuleType: Persistent, Indexed
FWPM_CONDITION_FLAGS: FlagsNoneSet:IsLoopback
FWPM_CONDITION_IP_LOCAL_PORT: 3389
FWPM_CONDITION_IP_PROTOCOL: UdpNAME
Get-CrwdHbfw
SYNOPSIS
Display current CrowdStrike HostBased Firewall filters based on the Windows filter Platform(WFP).
SYNTAX
Get-CrwdHbfw [[-ActionType] <String>] [[-Id] <String>] [[-RuleType] <String>] [[-LPort] <String>] [[-RPort] <String>] [[-LIP] <String>] [[-RIP] <String>]
[[-Protocol] <String>] [[-AppId] <String>] [<CommonParameters>]
DESCRIPTION
The Get-CrwdHbfw function displays current CrowdStrike HostBased Firewall filters based on the Windows filter Platform(WFP).
Get-CrwdHbfw outputs a list of CRWDFWFilter objects.
CRWDFWFilter objects are custom objects that contain the following properties:
Id, ActionType, EffectiveWeight, RuleType, FWPM_CONDITION_*.
PARAMETERS
-ActionType <String>
The ActionType parameter specifies the action type of the WFP filter.
The ActionType parameter must be either 'Permit' or 'Block'.
-Id <String>
The Id parameter specifies the Id / FilterId of the WFP filter.
-RuleType <String>
The RuleType parameter specifies the RuleType of the WFP filter.
The RuleType parameter must be either 'Persistent, Indexed' or 'BootTime, Indexed'.
-LPort <String>
The LPort parameter specifies the local port of the WFP filter.
-RPort <String>
The RPort parameter specifies the remote port of the WFP filter.
-LIP <String>
The LIP parameter specifies the local IP address of the WFP filter.
-RIP <String>
The RIP parameter specifies the remote IP address of the WFP filter.
-Protocol <String>
The Protocol parameter specifies the protocol of the WFP filter.
-AppId <String>
The AppId parameter specifies the AppId of the WFP filter.
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
-------------------------- EXAMPLE 1 --------------------------
PS>Get-CrwdHbfw -ActionType 'Permit' -LPort 3389
-------------------------- EXAMPLE 2 --------------------------
PS>Get-CrwdHbfw -ActionType 'Block' -LPort 50000
-------------------------- EXAMPLE 3 --------------------------
PS>Get-CrwdHbfw -ActionType 'Block' -RPort 22 -RIP 10.0.0.0/8
REMARKS
To see the examples, type: "get-help Get-CrwdHbfw -examples".
For more information, type: "get-help Get-CrwdHbfw -detailed".
For technical information, type: "get-help Get-CrwdHbfw -full".
PS > Get-StagedWFPFilter | Sort-Object | Format-Table
Rule Type Action Type Id Details
--------- ----------- -- -------
Persistent, Indexed Permit 103665 ALE_APP_ID: \device\harddiskvolume2\windows\system32\svchost.exe|ALE_USER_ID: NT SERVICE\W32Time|FLAGS: FlagsNoneSet:IsLoopback|IP_PROTOCOL: Udp|IP_REMOTE_PORT: 123|
Persistent, Indexed Permit 103649 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 136|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103669 ALE_APP_ID: \device\harddiskvolume2\windows\system32\svchost.exe|ALE_USER_ID: NT SERVICE\Dnscache|FLAGS: FlagsNoneSet:IsLoopback|IP_PROTOCOL: Udp|IP_REMOTE_PORT: 53|
Persistent, Indexed Permit 103651 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 4|IP_PROTOCOL: IcmpV6|
Persistent, Indexed Permit 103631 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_ADDRESS: fe80:: - Prefix: 64|IP_LOCAL_PORT: 134|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103629 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 134|IP_PROTOCOL: IcmpV6|IP_REMOTE_ADDRESS: fe80:: - Prefix: 64|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103639 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 132|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103635 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 133|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103695 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 135|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Block 103675 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 50000|IP_PROTOCOL: Tcp|
Persistent, Indexed Permit 103655 ALE_APP_ID: \device\harddiskvolume2\windows\system32\svchost.exe|ALE_USER_ID: NT SERVICE\Dhcp|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 546|IP_PROTOCOL: Udp|IP_REMOTE_PORT: 547|
Persistent, Indexed Permit 103627 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3|IP_PROTOCOL: IcmpV6|
Persistent, Indexed Permit 103677 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 131|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103707 ALE_APP_ID: \device\harddiskvolume2\windows\system32\svchost.exe|ALE_USER_ID: NT SERVICE\gpsvc|CURRENT_PROFILE_ID: Domain|FLAGS: FlagsNoneSet:IsLoopback|IP_PROTOCOL: Tcp|
Persistent, Indexed Permit 103697 ALE_APP_ID: System|CURRENT_PROFILE_ID: Domain|FLAGS: FlagsNoneSet:IsLoopback|IP_PROTOCOL: Tcp|IP_REMOTE_PORT: 445|
Persistent, Indexed Permit 103641 ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 132|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|
Persistent, Indexed Permit 103685 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 3389|IP_PROTOCOL: Tcp|(Get-StagedWFPFilter)[0].details
ALE_APP_ID: System|FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 136|IP_PROTOCOL: IcmpV6|IP_REMOTE_PORT: 0|PS > Get-StagedWFPFilter -Id '110556' | Format-CrwdHbfw ActionType: Permit
EffectiveWeight: 1152921504606856098
FWPM_CONDITION_FLAGS: FlagsNoneSet:IsLoopback
FWPM_CONDITION_IP_LOCAL_PORT: 3389
FWPM_CONDITION_IP_PROTOCOL: Tcp
Id: 110556 [HEX: 0x1AFDC]
RuleType: Boottime, Indexed
Get-CrwdHbfw -ActionType 'Block' -Debug | Format-Table
[debug] Get-CrwdHbfw ** ParamHash:
[debug] ------------------
{
"ActionType": "Block",
"Id": "",
"RuleType": "[default]"
}
[debug] ------------------
[debug] Get-StagedWFPFilter
[debug] ------------------
[debug] ActionType: Block
[debug] Id:
[debug] RuleType: Persistent, Indexed
[debug] ------------------
Rule Type Action Type Id Details
--------- ----------- -- -------
Persistent, Indexed Block 110545 FLAGS: FlagsNoneSet:IsLoopback|IP_LOCAL_PORT: 50000|IP_PROTOCOL: Tcp|See TESTING.md for unit and integration test instructions.
So long and thanks for all the fish. Leave an message or issue on the Github if you did not find this helpful.
You must use an * elevated rights (Run as Administrator)* powershell session:
Uninstall-Module crwd-hbfwCRWD-HBFW v2.0 uses native Windows Filtering Platform (WFP) P/Invoke calls to Fwpuclnt.dll to enumerate filters directly. No external modules are required.
The module calls FwpmEngineOpen0, FwpmFilterCreateEnumHandle0, FwpmFilterEnum0, and FwpmFilterDestroyEnumHandle0 to enumerate all WFP filters, then filters for those named "CrowdStrike WFP Filter". Condition GUIDs are resolved to human-readable FWPM_CONDITION_* names using a built-in lookup table derived from the Windows SDK.
CRWD-HBFW provides additional types, recursive mapping of the Conditions, and formatters for viewing. Note the below activities would require recursive calls to view the value of the conditionals which administrators are often in need. (What TCP port is filtered in this rule, Which Application, etc..)
In v1.x, CRWD-HBFW depended on the NtObjectManager module (by Google Project Zero) for WFP access via Get-FwFilter. Starting with v2.0, this dependency has been removed in favor of direct native API calls.