Serious Discussion Any replacements for Microsoft Defender Exploit Protection?

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
418
Hi Everyone,

I recently deployed Windows Defender Exploit Protection for all my applications that are allowed through the firewall. This is in accordance with PCI DSS 2.5.5b. It is mediocre protection I know, but it stopped my red team for half an hour. Are there any commercial programs that do this kind of thing? I know there is MalwareBytes Anti-Exploit, but it only protects a few apps chosen by them. Are there any others who implement Windows Dedender Exploit Protection's methods but in a more reliable way? The apps that I allow through the firewall are few, and they are these: WWAHost, AuthHost, smartscreen, deviceCensus, MSEdge, svchost, NcsiUwpApp, Recommended Troubleshooting Client and SecHealthUI. All of them are Windows native exe's. My red team is obviously targeting one or two of those apps or else they wouldn't have been stuck.

By the way, OpenEDR is great and has good and useful alerts. And I like their Comodo AV's App Container. My red team has yet to penetrate that.
 
Last edited:

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
Hi,
I use exploit protections in the Microsoft Defender category here:

I apply them to system components and some 1st/3rd party programs.

This is only one layer of security and doesn't have to stop any attacks on its own, it's just one piece of the puzzle. If you want to give your red team a realistic challenge I suggest using the Harden Windows security module, apply all of the categories, and then let them penetration test your system, with Standard user privileges of course.

Here is document about pentesting using my module:

Let me know if you have any feedback/questions!
 

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
418
Hi @SpyNetGirl ,

We meet again. My other layers of protection currently on that box is some hardened/disabled services, SRP, and some group policy items. The main defenses are Comodo's Internet Security which is packaged and free from OpenEDR, and Cyber Lock. This configuration is deployed because I want to test out the recommended configuration of OpenEDR. The Cyber Lock piece is a protection that I always deploy so I left it on.

I tried to deploy MS Security Baseline also but it conflicts with Comodo - system won't boot. I think it is due to one group policy item which disallows turning off Windows Defender. I will try again tomorrow and disable that item and see if that works.

Does it take a long time to understand how to use your hardening?
 
Last edited:

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
Hi @SpyNetGirl ,

We meet again. My other layers of protection currently on that box is some hardened/disabled services and some group policy items. The main defenses are Comodo's Internet Security which is packaged and free from OpenEDR, and Cyber Lock. This configuration is deployed because I want to test out the recommended configuration of OpenEDR. The Cyber Lock piece is a protection that I always deploy so I left it on.

I tried to deploy MS Security Baseline also but it conflicts with Comodo - system won't boot. I think it is due to one group policy item which disallows turning off Windows Defender. I will try again tomorrow and disable that item and see if that works.

Does it take a long time to understand how to use your hardening?

Hi,
no it doesn't take long at all, the GitHub readme explains every single hardening measure it applies with links to official documents for further reading.
the time it takes to apply them is just few seconds. I can assure you that if you use it you will be far more secure than using Comodo or Cyber lock.

The hardening measures the module uses are industry standards and constantly proven to stop kill chains in the attacks. Many of the threat actors reports published by Microsoft security intelligence suggest using these measures. It is Totally worth the time to go through the hardening measures and get familiar with them.

But they are not compatible with 3rd party security solutions. They need to be in full control. You can do a cost assessment and see how it will benefit you to use the policies for free and if you need EDR/SIEM capabilities then use Defender for Endpoint or Sentinel.

The good thing is that it's plain-text PowerShell code so you can integrate and automate it easily with other tools such as Intune, SCCM etc. I recently added CSPs for all of the hardening measures in the Readme.
 

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
418
I forgot to mention that I am not using Comodo's firewall. It has a few rules that I couldn't figure out what the allowed exe's are - it's just a generic name. So I fall back on Windows's own firewall, outbound set to disallow, with MalwareBytes Windows Firewall Control.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,178
It is not possible to stop the RedTeams, except when making the computer unusable.
Your RedTeam most probably exploits abuses Svchost by injecting the DLL or shellcode.

You can try to identify what is exploited by using the combination of Hard_Configurator (set to block also Administrators + block all LOLBins) and strict WDAC policy (only Windows and Microsoft binaries allowed, dynamic code trust, no ISG). Do not forget to make a System Restore Point. This setup should be applied before the RedTeam attack. Next, you must inspect the H_C security log and WDAC events.
Your RedTem probably knows your Admin credentials, Microsoft Account passwords (and others too), so it will be hard to prevent their actions.

Edit.
I am not sure if you are on the right way. You should not focus on stopping your RedTeam but rather on using the setup that can demotivate other RedTeams and hackers.
 
Last edited:

B-boy/StyLe/

Level 3
Verified
Well-known
Mar 10, 2023
147
Btw only for the protocol Appcheck also have Anti-Exploit, but I didn't use it for a while, so I am not sure if you can add custom programs in the newer version. In the older ones, there wasn't such an option.


Now Win 10/11 have built-in anti-exploit but in the past one should have used EMET. But it is end of life now since 2018.
Back in the time 2011-2012, there was an application called Crystal Anti-Exploit Protection as well. But this is only for the protocol as well. :)
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
800
Hi,
I use exploit protections in the Microsoft Defender category here:

I apply them to system components and some 1st/3rd party programs.

This is only one layer of security and doesn't have to stop any attacks on its own, it's just one piece of the puzzle. If you want to give your red team a realistic challenge I suggest using the Harden Windows security module, apply all of the categories, and then let them penetration test your system, with Standard user privileges of course.

Here is document about pentesting using my module:

Let me know if you have any feedback/questions!
Harden's solution is safe and effective
I'm grateful to find people like you :emoji_beer: ;)
 

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
418
Hi

I have good and bad news to report. The good news is that MalwareBytes Anti-Exploit does add to the security of all apps mentioned in the firewall rules - it took my red team 3-4 hours to get past that. The bad news is that they did get thru. So I will keep MBAE in my defense arsenal. Mind you, that is 2 anti-exploit layers - MS Defender Exploit Protection and MBAE.
 
Last edited:

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
418
Hi @Kongo ,

As I remember it, HitmanPro Alert does not have any options to add other programs to be protected, it only protects the few things it has built in, mainly browsers. But I may be wrong.
 
  • Like
Reactions: Nevi and oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top