Skip to main content

Overview

The firewall action enumerates Windows Firewall rules and open TCP ports on remote systems. It queries the MSFT_NetFirewallRule and MSFT_NetProtocolPortFilter WMI classes in the ROOT\StandardCIMV2 namespace.
This action is available on Windows Server 2012+ and Windows 8+ systems that support the StandardCIMV2 namespace.

Syntax

SharpWMI.exe action=firewall computername=HOST[,HOST2,...] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be firewall
computernameYesTarget host(s), comma-separated
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

SharpWMI.exe action=firewall computername=server.domain.com

Example Output

  Scope: \\server.domain.com\ROOT\StandardCIMV2

Rulename   : Remote Desktop - User Mode (TCP-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 3389

Rulename   : Windows Remote Management (HTTP-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 5985

Rulename   : File and Printer Sharing (SMB-In)
Action     : 2 (Allow)
Direction  : 1 (Inbound)
LocalPorts : 445

Understanding Output

Action Values

ValueMeaning
2Allow
3AllowBypass
4Block

Direction Values

ValueMeaning
1Inbound
2Outbound

Operational Use Cases

Scenario 1: Identify Remote Access Vectors

# Check for RDP, WinRM, PSRemoting
SharpWMI.exe action=firewall computername=target.domain.com
Look for rules allowing:
  • Port 3389 (RDP)
  • Port 5985/5986 (WinRM)
  • Port 22 (SSH)
  • Port 445 (SMB)

Scenario 2: Lateral Movement Planning

# Enumerate firewall across multiple systems
SharpWMI.exe action=firewall computername=server1,server2,server3,server4
Identify systems with:
  • Permissive firewall rules
  • Management ports open
  • Custom application ports
  • Outbound restrictions

Scenario 3: Egress Filtering Detection

Check for outbound rules that might block C2 traffic: 
SharpWMI.exe action=firewall computername=target.domain.com
Look for:
  • Blocked outbound ports
  • Restricted protocols
  • Application-specific blocks

Scenario 4: Defense Evasion Planning

Identify allowed services and ports for blending in: 
# Map allowed services across network
SharpWMI.exe action=firewall computername=dc1,fs1,sql1,web1

Remote Only

The firewall action requires a computername parameter and cannot target localhost directly.
This is a remote-only action. For local firewall enumeration, use: 
# Local alternative using query action
SharpWMI.exe action=query query="SELECT DisplayName,Action,Direction FROM MSFT_NetFirewallRule WHERE Enabled=1" namespace="ROOT\StandardCIMV2"

Detection Considerations

  • WMI queries to ROOT\StandardCIMV2 namespace
  • Queries for MSFT_NetFirewallRule class
  • Queries for MSFT_NetProtocolPortFilter class
  • Event ID 5857: WMI activity
  • Firewall enumeration across multiple systems
  • Queries originating from non-administrative systems
  • Bulk firewall queries in short timeframe
  • Correlation with other enumeration activities
  • WMI/DCOM traffic on port 135
  • Multiple connections to various systems
  • Queries from single source IP

Best Practices

Target Selection

  • Prioritize high-value targets (DCs, servers)
  • Focus on potential pivot points
  • Identify perimeter systems
  • Map DMZ configurations

Operational Security

  • Limit query frequency
  • Blend with legitimate admin activity
  • Avoid bulk queries
  • Use during business hours

Troubleshooting

Cause: System doesn’t support StandardCIMV2 namespaceSolution:
  • Verify Windows version (8+ or Server 2012+)
  • Check WMI namespace exists: 
    wmic /namespace:\\root path __NAMESPACE where Name="StandardCIMV2" get Name
  • Use alternative query methods for older systems
Cause: Insufficient privilegesSolution:
  • Verify admin credentials
  • Use username and password parameters
  • Check UAC remote restrictions
Cause: No firewall rules or query issueSolution:
  • Verify firewall service is running
  • Check if firewall is enabled
  • Test with manual WMI query

query

Custom firewall queries

loggedon

User enumeration

ps

Process enumeration

exec

Execute commands

Alternative Queries

SharpWMI.exe action=query computername=target query="SELECT DisplayName,Action,Direction,Enabled FROM MSFT_NetFirewallRule" namespace="ROOT\StandardCIMV2"

SharpWMI.exe action=query computername=target query="SELECT DisplayName FROM MSFT_NetFirewallRule WHERE Enabled=1 AND Direction=1 AND Action=2" namespace="ROOT\StandardCIMV2"

SharpWMI.exe action=query computername=target query="SELECT DisplayName,Direction FROM MSFT_NetFirewallRule WHERE Enabled=1 AND Action=4" namespace="ROOT\StandardCIMV2"