If an attacker uses software already installed on windows to create a persistent connection, the industry calls this Clientless Malware or Living off the Land. This usually involves using Windows Powershell which is so easy to block using the built-in Defender firewall, i’m surprised it’s not blocked by default.
I propose a fix for this in the form of a Windows Firewall rule
Start, Run, mmc
add Windows Defender
Create a new rule,
Rule Type = Program
Use this progam path for 64bit Windows:
Block the connection
check the public box to prevent Powershell from communicating with the public Internet.
Give your rule a name, i named mine _Powershell_Block_Public so it gets sorted to the very top of the list alphabetically
for the description i used; Block Powershell connections to public IPs to prevent client-less malware
Now find the rule you just created, right click it and choose enable.
I am going to recommend this change for all RdWeb and Gateway servers.
Unfortuneately Windoze does not allow Exporting/Importing of a single rule. An export of all rules starts with the below:
Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Authorized Computers Authorized Local Principals Local User Owner Application Package
_Powershell_Block_Public Public Yes Block No %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any
After some testing I plan to convert this to a Group Policy so i can easily apply it to all workstations. Stay tuned for that HowTo.