Windows Firewall Hardening: Blocking Outbound Connections from Living-Off-the-Land Binaries

The built-in Windows Firewall is one of the most underused security tools. While most organizations rely on perimeter firewalls, the local Windows Firewall provides granular control at the endpoint level. Configured correctly, it can reduce lateral movement, prevent malware downloads, and block command-and-control communication.

This guide explains how to harden Windows Firewall by blocking outbound connections from Living-off-the-Land Binaries (LOLBins)—legitimate Windows tools frequently abused by attackers.

Why Harden Windows Firewall at the Endpoint Level?

• Stops lateral movement — Once an attacker gains access to one system, they often spread using built-in tools like PowerShell or certutil.exe.
• Prevents data exfiltration — Outbound rules block malicious binaries from sending sensitive data outside the network.
• Limits attack surface — Even if perimeter defenses fail, endpoint firewall rules provide a second layer of defense.

Unlike network-wide firewalls, endpoint firewalls operate per device. This means every compromised machine has its own protection barrier.

What Are LOLBins?

LOLBins are trusted Windows executables that attackers repurpose for malicious activity. For example:

• certutil.exe — Commonly used to download malware.
• bitsadmin.exe — Abused to transfer malicious payloads.
• mshta.exe — Executes malicious scripts from remote servers.
• cscript.exe / wscript.exe — Runs malicious VBScript or JScript code.

A full catalog is maintained by the LOLBAS project. Security teams often consult this list when building defenses.

Building a PowerShell Script to Block Outbound Connections

Instead of manually configuring hundreds of rules, you can automate the process with PowerShell.

Step 1: Fetch LOLBins Data from LOLBAS API

The LOLBAS project provides data in JSON format. Example:

$lolbasUrl = "https://lolbas-project.github.io/api/lolbas.json"
$lolbasData = Invoke-RestMethod -Uri $lolbasUrl

Step 2: Loop Through Binaries and Identify Paths

foreach ($entry in $lolbasData) {
    foreach ($path in $entry.full_path.Values) {
        if (Test-Path $path) {
            Write-Host "Found: $path"
        }
    }
}

Step 3: Create Outbound Firewall Rules

For each binary found, block outbound connections:

New-NetFirewallRule -DisplayName "Block_LOLBin_$($entry.name)" `
    -Direction Outbound `
    -Program $path `
    -Action Block `
    -Enabled True

This ensures the binary cannot connect externally, even if executed by an attacker.

Example: Blocking certutil.exe and bitsadmin.exe

Manual configuration can also be done for specific high-risk tools.

New-NetFirewallRule -DisplayName "Block_certutil" `
    -Direction Outbound `
    -Program "C:\Windows\System32\certutil.exe" `
    -Action Block `
    -Enabled True

New-NetFirewallRule -DisplayName "Block_bitsadmin" `
    -Direction Outbound `
    -Program "C:\Windows\System32\bitsadmin.exe" `
    -Action Block `
    -Enabled True

Considerations Before Deployment

• Do not block core system binaries such as cmd.exe or powershell.exe without testing. Some may be required for system operations.
• Test in a lab environment first. Blocking incorrectly can disrupt patching, software updates, or monitoring tools.
• Use snapshots or backups to recover if necessary.

For enterprise environments, manage firewall rules with Group Policy or Intune for consistent deployment.

Real-World Relevance

Threat actors like APT32 and FIN7 have historically leveraged Windows native tools to avoid detection. By blocking outbound access for these binaries, defenders significantly raise the difficulty for attackers.

Microsoft Defender ATP logs can also be monitored to verify if a blocked process attempts a network connection.

Additional Resources

• LOLBAS Project Official Site
• Microsoft Docs – New-NetFirewallRule
• MITRE ATT&CK: Living Off the Land

Key Takeaway

Blocking outbound connections for LOLBins with Windows Firewall strengthens endpoint defense. Automated PowerShell scripts simplify the process, reducing attacker opportunities to move laterally or exfiltrate data.

System administrators and security analysts should integrate this method into their hardening strategy, ensuring it’s tested and monitored in production environments.

For more on strengthening network security, see this Cybersecurity Networking Guide