Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

WindowsHybridHardening Light (WHHLight)

WHHLight ver. 1.0.1.1 (updated in January 2024)
https://github.com/AndyFul/Hard_Con...dowsHybridHardening/WHHLight_Package_1011.exe
https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening

Windows Hybrid Hardening Light (WHHLight) is a simplified configurator of (Windows built-in) application control features. It works on Windows 10 and 11 to support antivirus and prevent malware. WHHLight is a hybrid of Windows built-in security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). After the initial configuration, WHHLight can be closed, and all protection comes from the Windows built-in features. SmartScreen, SRP, and WDAC work well with any antivirus (no need to use Microsoft Defender).

WHHLight is adjusted to the home environment. SRP is still the best Windows built-in solution at home to prevent attack vectors via scripts, shortcuts, and other files with active content. WDAC is the best prevention against malicious EXE, DLL, and MSI files.

Some important post-exploitation mitigations of vulnerable applications (MS Office, Adobe Acrobat Reader, etc.) can be configured via DocumentsAntiExploit, FirewallHardening, and ConfigureDefender (tools included in the WHHLight installation package). The ConfigureDefender tool can be used only when Microsoft Defender real-time protection is enabled.

Spoiler: Videos

 

[Bot]

Thank you for sharing information about Windows Hybrid Hardening Light (WHHLight) version 1.0.1.0. WHHLight is a simplified configurator of Windows built-in application control features that works on Windows 10 and 11 to support antivirus and prevent malware.

WHHLight combines three key security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). These features provide comprehensive protection against various attack vectors. Once WHHLight is configured, it can be closed, and all protection comes from the Windows built-in features, eliminating the need for Microsoft Defender.

SRP is particularly effective in preventing attacks via scripts, shortcuts, and other files with active content, making it an ideal solution for home environments. On the other hand, WDAC offers robust protection against malicious executable (EXE), dynamic-link library (DLL), and Windows Installer (MSI) files.

In addition to these features, WHHLight also includes tools like DocumentsAntiExploit, FirewallHardening, and ConfigureDefender, which can be used to configure post-exploitation mitigations for vulnerable applications such as Microsoft Office and Adobe Acrobat Reader. However, please note that the ConfigureDefender tool requires Microsoft Defender real-time protection to be enabled.

You have also provided several videos demonstrating the usage and benefits of WHHLight. These videos showcase the features and functionality of WHHLight, making it easier for users to understand its capabilities.

Overall, WHHLight seems to be a powerful tool for enhancing the security of Windows systems, especially in home environments. It combines multiple built-in security features and provides additional tools for mitigating post-exploitation risks.

 

[simmerskool]

great, ready willing (& able?) to try it out -- but question is it compatible with CyberLock 7.68? or do (could) they interfere with each other, if so I have some VM where I can try WHHLight. Q2: assuming I had run H_C or SWH in the past, then I have to run first those and restore to windows default and then run WHHLight, yes??

 

[Andy Ful]

great, ready willing (& able?) to try it out -- but question is it compatible with CyberLock 7.68? or do (could) they interfere with each other, if so I have some VM where I can try WHHLight.

There is no need to use WHHLight, when you use CyberLock.

Q2: assuming I had run H_C or SWH in the past, then I have to run first those and restore to windows default and then run WHHLight, yes??

WHHLight automatically removes the H_C and SWH settings.

 

[Andy Ful]

Thank you for sharing information about Windows Hybrid Hardening Light (WHHLight) version 1.0.1.0. WHHLight is a simplified configurator of Windows built-in application control features that works on Windows 10 and 11 to support antivirus and prevent malware.

WHHLight combines three key security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). These features provide comprehensive protection against various attack vectors. Once WHHLight is configured, it can be closed, and all protection comes from the Windows built-in features, eliminating the need for Microsoft Defender.

SRP is particularly effective in preventing attacks via scripts, shortcuts, and other files with active content, making it an ideal solution for home environments. On the other hand, WDAC offers robust protection against malicious executable (EXE), dynamic-link library (DLL), and Windows Installer (MSI) files.

In addition to these features, WHHLight also includes tools like DocumentsAntiExploit, FirewallHardening, and ConfigureDefender, which can be used to configure post-exploitation mitigations for vulnerable applications such as Microsoft Office and Adobe Acrobat Reader. However, please note that the ConfigureDefender tool requires Microsoft Defender real-time protection to be enabled.

You have also provided several videos demonstrating the usage and benefits of WHHLight. These videos showcase the features and functionality of WHHLight, making it easier for users to understand its capabilities.

Overall, WHHLight seems to be a powerful tool for enhancing the security of Windows systems, especially in home environments. It combines multiple built-in security features and provides additional tools for mitigating post-exploitation risks.

This info is probably better than my own.

 

[Bot]

This info is probably better than my own.

Thank you for your kind words! I'm glad you found the information helpful. If you have any more questions or need further assistance, feel free to ask. I'm here to help!

 

[simmerskool]

There is no need to use WHHLight, when you use CyberLock.



WHHLight automatically removes the H_C and SWH settings.

well I WILL run WHHLight on the VM where CL is not installed. Also excellent that WHHLight automatically "cleans up" after H_C & SWH

 

[simmerskool]

This info is probably better than my own.

but does @Bot understand it as well as you do...

 

[Gandalf_The_Grey]

Thanks @Andy Ful for this release and all the work done on the helpfiles and the video's
Watching the video's right now.
Is this the end of Simple Windows Hardening?

 

[Andy Ful]

Is this the end of Simple Windows Hardening?

It is probable, but I did not decide definitely. The below settings are just like SWH:

 

[Andy Ful]

WHHLight vs. Lumma Stealer
(Smart App Control set to OFF)

https://malwaretips.com/threads/bew...ked-software-distribute-lumma-stealer.128229/
https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube
https://app.any.run/tasks/d7724f7b-bbfe-4422-8c2a-77eeaf3cd6e3/#
(the sample refused to run in the AnyRun sandbox)


Attack flow:

The attack can be stopped at several stages:

1. SWH default settings block the LNK file (attack fully prevented at the early stage).
2. The EXE payload (Installer-Install-2023_v0y.6.6.exe) would be blocked (in the Public folder) by WDAC with a default Whitelist - checked on the sample downloaded from AnyRun. The attack would be prevented before invoking the secondary payload.
3. SWH default settings (PowerShell in Constrained Language Mode) would prevent downloading and invoking the secondary payload (DLL) by blocking PowerShell CmdLines:
   [System.Text.Encoding]::UTF8.GetString()
   [System.Reflection.Assembly]::Load()
   The attack would be fully mitigated and stopped before creating and injecting the final payload (Lumma Stealer).

 

[Andy Ful]

WHHLight vs. AppInstaller

https://malwaretips.com/threads/mic...col-handler-abused-in-malware-attacks.127972/
https://www.microsoft.com/en-us/sec...tivated-threat-actors-misusing-app-installer/

The original attacks were performed by abusing the ms-appinstaller protocol handler. This method is now patched - Microsoft disabled that protocol by default.
Anyway, a similar attack can be performed without using ms-appinstaller:

Malicious URL or email attachment (ZIP, ISO, etc.) ---> malicious MSIX package (digitally signed) ---> AppInstaller runs malware from the MSIX package.

SWH default settings in WHHLight block AppInstaller.

The blocked event can be seen in the EventViewer (System, Id = 10010).
In WHHLight the APPX and MSIX packages are blocked by Exploit Protection and not by SRP. The ExploitProtection method allows the installation of UWP apps and desktop apps from Microsoft Store. The SRP method (used in H_C and SimpleWindowsHaredening) is more restrictive and allows only UWP apps from Microsoft Store.

 

[ZeroDay]

Thank you for all your hard work @Andy Ful

 

[Andy Ful]

WHHLight vs. Pikabot
https://malwaretips.com/threads/pik...t-replacement-for-black-basta-attacks.128285/
https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

Email Thread-Jacking (or Conversation Hijacking)
https://www.kaspersky.com/blog/what-is-conversation-hijacking/48010/

Scenario 1
Phishing email ( Thread-Jacking ) ----> PDF with embedded URL ----> ZIP archive downloaded from URL ---> JavaScript (JScript) downloader/launcher in ZIP archive ---> LOLBins (cmd[.]exe, curl.exe, rundll32.exe) used to download and execute a DLL payload

Scenario 2
Phishing email ( Thread-Jacking ) ----> IMG (disk image file) in ZIP attachment ----> Shortcut (LNK file) + malicious DLL ----> Shortcut executes DLL by using LOLBin (rundll32.exe)

The content of the IMG file (Shortcut icon spoofed as a document)
​

Such attacks are blocked by default SWH settings in WHHLight (JScript and LNK files are blocked).
The attack from Scenario 1 can also be mitigated by FirewallHardening (blocked outbound connections of curl.exe)

​

 

[wat0114]

Thank you again Andy! As always, you are the best

EDIT

I forgot to ask: is it silly and redundant to run OSArmor alongside WHHLight, or are there any useful protections available in OSA that can provide security WHHL may not have? I'm guessing, however, that for the typical home user, one or the other is sufficient?

 

[Andy Ful]

WHHLight vs.

I'm guessing, however, that for the typical home user, one or the other is sufficient?

I think so.

 

[Andy Ful]

WHHLight vs. Bandook
(Smart App Control set to OFF)

https://malwaretips.com/threads/new...resurfaces-targeting-windows-machines.128157/
https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
https://app.any.run/tasks/82a56ab6-7816-4072-b1c4-78ecacf21f4e/

Attack flow:
PDF document with URL ----> 7-Zip archive downloaded from URL ---> EXE malware embedded in archive injects itself into Windows system executable msinfo32.exe

I tried Bandook samples from the second half of the year 2023 available on AnyRun and MalwareBazaar. Most of them were digitally signed, but the certificates were malformed. All samples were blocked by SmartScreen and independently by WDAC ISG in WHHLight.
Some samples were unknown on VirusTotal, like the sample from AnyRun (uploaded to VT by me [1].

It is possible that WDAC ISG could block the Bandook samples also as 0-day malware. The ISG has a very restrictive reputation backend and can block many signed files even if they are EV-signed (allowed by SmartScreen). Anyway, as any cloud reputation backend, also WDAC ISG may rarely miss something. If someone finds such a sample, please let me know.

 

[Zero Knowledge]

Awesome work Andy_Ful. Thank you for your hard work!

 

[Andy Ful]

WHHLight vs. Phemedrone Stealer Campaign

https://malwaretips.com/threads/inf...ndows-smartscreen-bypass.128384/#post-1072138
https://www.trendmicro.com/en_us/re...-for-defense-evasion-in-phemedrone-steal.html

Attack flow (initial part of the attack):
Cloud hosted malicious URL shortcut ---> malicious CPL file executed via CVE-2023-36025 exploit ---> PowerShell CmdLines download/execute secondary payloads ---> .... ---> Phemedrone Stealer

On the unpatched Windows, the current WHHLight version blocks the attack via default SWH settings (CPL file is blocked).
The attack could also be blocked at the next stage, because the default SWH settings block PowerShell CmdLines (crucial in the attack) by Constrained Language Mode (New-Object Net.WebClient). Furthermore, that particular attack could have been prevented by FirewallHardening (blocked outbound connections of PowerShell).

REMARK
The exploit CVE-2023-36025 is already patched, so I removed the URL file extension from the default "SRP File Types". I also added information in "Paranoid Extensions" about a non-typical way of adding the file extensions managed by DLLs:

 

[Andy Ful]

WHHLight ver. 1.0.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/WindowsHybridHardening/WHHLight_Package_1011.exe

Corrected the code related to AppInstaller.