Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The firewall action enumerates Windows Firewall rules and open TCP ports on remote systems. It queries the MSFT_NetFirewallRule and MSFT_NetProtocolPortFilter WMI classes in the ROOT\StandardCIMV2 namespace.
This action is available on Windows Server 2012+ and Windows 8+ systems that support the StandardCIMV2 namespace.

Syntax

SharpWMI.exe action=firewall computername=HOST[,HOST2,...] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be firewall
computernameYesTarget host(s), comma-separated
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

SharpWMI.exe action=firewall computername=server.domain.com

Example Output

  Scope: \\server.domain.com\ROOT\StandardCIMV2

Rulename   : Remote Desktop - User Mode (TCP-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 3389

Rulename   : Windows Remote Management (HTTP-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 5985

Rulename   : File and Printer Sharing (SMB-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 445

Understanding Output

Action Values

ValueMeaning
2Allow
3AllowBypass
4Block

Direction Values

ValueMeaning
1Inbound
2Outbound

Operational Use Cases

Scenario 1: Identify Remote Access Vectors

# Check for RDP, WinRM, PSRemoting
SharpWMI.exe action=firewall computername=target.domain.com
Look for rules allowing:
  • Port 3389 (RDP)
  • Port 5985/5986 (WinRM)
  • Port 22 (SSH)
  • Port 445 (SMB)

Scenario 2: Lateral Movement Planning

# Enumerate firewall across multiple systems
SharpWMI.exe action=firewall computername=server1,server2,server3,server4
Identify systems with:
  • Permissive firewall rules
  • Management ports open
  • Custom application ports
  • Outbound restrictions

Scenario 3: Egress Filtering Detection

Check for outbound rules that might block C2 traffic: 
SharpWMI.exe action=firewall computername=target.domain.com
Look for:
  • Blocked outbound ports
  • Restricted protocols
  • Application-specific blocks

Scenario 4: Defense Evasion Planning

Identify allowed services and ports for blending in: 
# Map allowed services across network
SharpWMI.exe action=firewall computername=dc1,fs1,sql1,web1

Remote Only

The firewall action requires a computername parameter and cannot target localhost directly.
This is a remote-only action. For local firewall enumeration, use: 
# Local alternative using query action
SharpWMI.exe action=query query="SELECT DisplayName,Action,Direction FROM MSFT_NetFirewallRule WHERE Enabled=1" namespace="ROOT\StandardCIMV2"

Detection Considerations

  • WMI queries to ROOT\StandardCIMV2 namespace
  • Queries for MSFT_NetFirewallRule class
  • Queries for MSFT_NetProtocolPortFilter class
  • Event ID 5857: WMI activity
  • Firewall enumeration across multiple systems
  • Queries originating from non-administrative systems
  • Bulk firewall queries in short timeframe
  • Correlation with other enumeration activities
  • WMI/DCOM traffic on port 135
  • Multiple connections to various systems
  • Queries from single source IP

Best Practices

Target Selection

  • Prioritize high-value targets (DCs, servers)
  • Focus on potential pivot points
  • Identify perimeter systems
  • Map DMZ configurations

Operational Security

  • Limit query frequency
  • Blend with legitimate admin activity
  • Avoid bulk queries
  • Use during business hours

Troubleshooting

Cause: System doesn’t support StandardCIMV2 namespaceSolution:
  • Verify Windows version (8+ or Server 2012+)
  • Check WMI namespace exists: 
    wmic /namespace:\\root path __NAMESPACE where Name="StandardCIMV2" get Name
  • Use alternative query methods for older systems
Cause: Insufficient privilegesSolution:
  • Verify admin credentials
  • Use username and password parameters
  • Check UAC remote restrictions
Cause: No firewall rules or query issueSolution:
  • Verify firewall service is running
  • Check if firewall is enabled
  • Test with manual WMI query

query

Custom firewall queries

loggedon

User enumeration

ps

Process enumeration

exec

Execute commands

Alternative Queries

SharpWMI.exe action=query computername=target query="SELECT DisplayName,Action,Direction,Enabled FROM MSFT_NetFirewallRule" namespace="ROOT\StandardCIMV2"

SharpWMI.exe action=query computername=target query="SELECT DisplayName FROM MSFT_NetFirewallRule WHERE Enabled=1 AND Direction=1 AND Action=2" namespace="ROOT\StandardCIMV2"

SharpWMI.exe action=query computername=target query="SELECT DisplayName,Direction FROM MSFT_NetFirewallRule WHERE Enabled=1 AND Action=4" namespace="ROOT\StandardCIMV2"