Blacklisting IP address via PowerShell automatically

So I just finished publishing a project I decided to quickly make, only thing is I am curious if anyone else knows of integration methods using this. H8 to post a YT video as I value your time but it is only about 30 seconds to get what it does: YouTube

Source code is here: PowerShell IPv4 Threat Intel APIs AbuseIPDB Auth0 · GitHub


Basically the goal is to:

  1. Run a constant process monitoring opening netstat connections to a certain port
  2. Automatically searching NEW IPs against the API feeds - if bad blacklist/firewall
  3. Profit.. pretty much free firewall automation via PowerShell

Anyone think I am crazy or know a better way to do this??

I don’t follow your logic. Why wait for a new connection to check if it is on a blacklist? Why not just either block everything on the blacklist or just allow only what is on the whitelist and nothing else?

This seems reactive. You’re waiting for a connection, then checking it against a DB and if it’s a known bad IP you’re blocking it.

You should be blocking known bad IPs dynamically before they try to connect. Most modern firewalls will update on a regular basis from the vendor but you can get MineMeld (just an example I’m familiar with) up and running pretty quickly to keep those blacklists up to date and block IPs before they attempt to connect.

This is more of an IR-esque tool.

It is not intended to ship with Windows.

While I can understand the logic concerns, there is a such thing as an IPS and IDS.

While you can disagree with their logic as well, they have proper application.

This is not intended to be a licensed/sold firewall in PowerShell but more of a SoC toolkit to quickly drop on a target and monitor IPs quickly for malicious scores with an automatic email report back.

It’s in case the firewall is not picking stuff up, which can happen during an attack. This assumes perhaps the firewall IP scoring is not relevant enough, or otherwise we just want to doubly verify no malicious IP activity on our endpoint. Kind of a pretty freaking cool tool, to for example drop for 24-48 hours and then pull it back off.

Pulling in multiple sources of IP threat intelligence to get as many possible scores as possible - then to generate an alert to a security team, this tool has the potential to save some arse

P.S. I know initially I never fully explained, because as you can see above that is a lot to type lol

Ah yes, 1 final point - with WFH (work from home) since COVID is going kinda cray cray, lotta folks may not have all peeps VPN’d in and so there is a slight chance this could be useful to send to staff… and say, hey click this (under least ideal circumstances where we see someone clicked a malicious link but we have no remote deployment).

Or an attempt could be made to remotely push this to remote endpoints (those working from home), which may not be covered under a firewall product otherwise such as Palo Alto or whatever else.

So, hopefully we can all get the point now.

This is merely intended as a SoC tool, to remotely deploy to an endpoint where we just want to see “Hmm, over 24-48 hours what is goin’ on?”

Because sometimes a simple AV product is not enough, a firewall only on when endpoint is on VPN is not enough, and even whitelisting apps is not enough when there is potential to punch through stuff with a macro from a phishing email.

Soo… this is for “Ah crap, this person might be hacked.” What now? It’s not a silver bullet, just my thought on how to better check a system than “Ah, well they should be good.”