Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,513
Andy Ful said:
It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg. :)
malwaretips.com

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as...
malwaretips.com malwaretips.com

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/
Click to expand...
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.
 
  • Like
Reactions: Andy Ful and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,190
vtqhtr413 said:
There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.
Click to expand...

I have nothing against this Bot. I also think that MT staff has control over posts of such Bots (good job). :)
The author of the article from arstechnica.com (mentioned in my previous post) forgot to mention the source article, so I did not know it at all.(y)
 
  • Thanks
Reactions: vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,190
Azazel said:
Hi @Andy Ful ,
I have a suggestion.
When WHHFull is complete move all or the major components from Hard Configurator to WHHFul.
Deprecate Hard Configurator and Simple Windows Hardening (as WHHFull is superior).
Click to expand...

It is already done. But, I am not sure if such a new (superior) application is needed. Furthermore, WHHFul cannot be superior in all aspects. For example, H_C is lighter (no slowdowns) compared to WDAC ISG in WHHFul.

Azazel said:
If possible, bring your applications to Microsoft Store.
Click to expand...

Too much trouble, but who knows?
 
  • +Reputation
  • Applause
  • Like
Reactions: vtqhtr413, simmerskool and Azazel
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,190
Is FirewallHardening needed?

Let's ask another question. Can the WHHLight protection be bypassed?
There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small.
Here is an example where the malware could almost compromise WHHLight (but it did not):

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.
(...)
Consequently, many security programs and application control policies are more inclined to trust programs signed with an EV certificate. For instance, Microsoft's SmartScreen filter, which is utilized by Windows and other Microsoft products, evaluates the reputation of an executable at runtime.

Files signed with an EV certificate typically establish a trustworthy reputation faster than those signed with standard certificates or those that are unsigned. This advantage allows most malware to bypass SmartScreen warnings more effectively.

www.esentire.com

D3F@ck Loader, the New MaaS Loader

Learn more about the D3F@ck Loader malware and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber…
www.esentire.com www.esentire.com
Click to expand...

The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted.
Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.

Attack flow:
Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/executed ----> first script uses LOLBin (Curl) to download the URL of a malicious server, the second script runs the payload downloaded from that server ----> ....

In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. The possible connection to a malicious server was disrupted (payloads could not be downloaded).
The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.:)
If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList.
 
Last edited:
  • Like
  • +Reputation
Reactions: vtqhtr413, Digmor Crusher, Jan Willy and 3 others
7Oz-64

7Oz-64

Level 1
Jan 16, 2023
35
Sorry, can't found something that i ve already read, just for confirm please :

Why windows firewall control can't see H_C recommanded rules of Firewall Hardening tool ?

Thanks.
 
  • Like
Reactions: Andy Ful

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,917
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • Thanks
    • Hundred Points
Guide | How To Easy Application Control on Windows
Replies
19
Views
1,082
Guides - Privacy & Security Tips
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
613
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top