Blacklisting IP address via PowerShell automatically

Welcome Forums General PowerShell Q&A Blacklisting IP address via PowerShell automatically

Viewing 3 reply threads
  • Author
    Posts
    • #272479
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      So I just finished publishing a project I decided to quickly make, only thing is I am curious if anyone else knows of integration methods using this. H8 to post a YT video as I value your time but it is only about 30 seconds to get what it does: https://www.youtube.com/embed/EESetK1lh2s

      Source code is here: https://gist.github.com/Noirth/77c744a68313570dafd8503e26cd85e4

       

      Basically the goal is to:

      1. Run a constant process monitoring opening netstat connections to a certain port
      2. Automatically searching NEW IPs against the API feeds – if bad blacklist/firewall
      3. Profit.. pretty much free firewall automation via PowerShell

       

      Anyone think I am crazy or know a better way to do this??

      • This topic was modified 2 weeks ago by Ciphers42.
      • This topic was modified 2 weeks ago by Ciphers42.
    • #272659
      Participant
      Topics: 5
      Replies: 177
      Points: 686
      Helping Hand
      Rank: Major Contributor

      I don’t follow your logic.  Why wait for a new connection to check if it is on a blacklist?  Why not just either block everything on the blacklist or just allow only what is on the whitelist and nothing else?

    • #272707
      Participant
      Topics: 2
      Replies: 382
      Points: 523
      Helping Hand
      Rank: Major Contributor

      This seems reactive.  You’re waiting for a connection, then checking it against a DB and if it’s a known bad IP you’re blocking it.

      You should be blocking known bad IPs dynamically before they try to connect.  Most modern firewalls will update on a regular basis from the vendor but you can get MineMeld (just an example I’m familiar with) up and running pretty quickly to keep those blacklists up to date and block IPs before they attempt to connect.

      https://live.paloaltonetworks.com/t5/minemeld/ct-p/MineMeld

    • #274620
      Participant
      Topics: 2
      Replies: 6
      Points: 32
      Rank: Member

      This is more of an IR-esque tool.

      It is not intended to ship with Windows.

      While I can understand the logic concerns, there is a such thing as an IPS and IDS.

      While you can disagree with their logic as well, they have proper application.

      This is not intended to be a licensed/sold firewall in PowerShell but more of a SoC toolkit to quickly drop on a target and monitor IPs quickly for malicious scores with an automatic email report back.

      It’s in case the firewall is not picking stuff up, which can happen during an attack. This assumes perhaps the firewall IP scoring is not relevant enough, or otherwise we just want to doubly verify no malicious IP activity on our endpoint. Kind of a pretty freaking cool tool, to for example drop for 24-48 hours and then pull it back off.

      Pulling in multiple sources of IP threat intelligence to get as many possible scores as possible – then to generate an alert to a security team, this tool has the potential to save some arse

      P.S. I know initially I never fully explained, because as you can see above that is a lot to type lol

      Ah yes, 1 final point – with WFH (work from home) since COVID is going kinda cray cray, lotta folks may not have all peeps VPN’d in and so there is a slight chance this could be useful to send to staff.. and say, hey click this (under least ideal circumstances where we see someone clicked a malicious link but we have no remote deployment).

      Or an attempt could be made to remotely push this to remote endpoints (those working from home), which may not be covered under a firewall product otherwise such as Palo Alto or whatever else.

      So, hopefully we can all get the point now.

      This is merely intended as a SoC tool, to remotely deploy to an endpoint where we just want to see “Hmm, over 24-48 hours what is goin’ on?”

      Because sometimes a simple AV product is not enough, a firewall only on when endpoint is on VPN is not enough, and even whitelisting apps is not enough when there is potential to punch through stuff with a macro from a phishing email.

      Soo.. this is for “Ah crap, this person might be hacked.” What now? It’s not a silver bullet, just my thought on how to better check a system than “Ah, well they should be good.”

      • This reply was modified 6 days, 7 hours ago by Ciphers42. Reason: fixin' the turkey for thanksgiving
      • This reply was modified 6 days, 6 hours ago by Ciphers42.
      • This reply was modified 6 days, 6 hours ago by Ciphers42.
      • This reply was modified 6 days, 6 hours ago by Ciphers42.
      • This reply was modified 6 days, 6 hours ago by Ciphers42.
Viewing 3 reply threads
  • You must be logged in to reply to this topic.