- Dec 23, 2014
- 8,852
OK. Turn it ON. We will see if something is blocked.
Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ
- Thread starter Victor M
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
OK. Turn it ON. We will see if something is blocked.
- Dec 23, 2014
- 8,852
It looks like you tried to install some tools. Did you turn off some WHHLight settings during the test?
Did you look into the OSArmor Log?
Did you look into the OSArmor Log?
- Oct 3, 2022
- 786
After I put the test machine onlime at 12:14am, I went on my main laptop. I did not do anything in addition after it was online.
- Oct 3, 2022
- 786
Do you want me to turn the frewallhardning logging on and then put the test machine online?
I took it offline to examine the machine for intrusion. If there is anything else you want me to do while offline please tell me now. Or else the attacker can come back and really make sure he erased all traces.
- Dec 23, 2014
- 8,852
Yes. Check if all WHHLight tools and Sysmon work as intended before connecting to the network. Do nothing during the test for one hour (fewer events to inspect). Disconnect from the network and make similar Logs (SWH, WDAC, FirewallHardening, Sysmon). I will look at them.
- Oct 3, 2022
- 786
Hi @Andy Ful , Round 2 results sent via PM.
bazang
Level 13
- Jul 3, 2024
- 605
They don't typically attempt to hack into your computer, send malicious emails, or try to get malware onto a victim's system. Direct attacks on Guest network connected devices are not very productive. Therefore, not the attack of choice. A direct attack is on the tinfoil hat fringe section of the attack bell curve.
The threat actors hack into the Guest network (typically targeting the router) and configure themselves as Man-in-the-Middle. They might scan for open ports and look for weaknesses, but what they are after are credentials that they can use, especially in replay attacks.
Although there is a small incidence of direct attacks. I suppose if one is paranoid about them then they harden their systems. I get it. However, it calls into question "Why do people take their mobile devices and do stuff online with valuable infos at Starbucks and use its network in the first place?"
Easy enough to resolve, use your mobile phone as a cellular network hotspot. If you have to purchase more data then is the peace-of-mind it provides worth it? Or just risk gamble and use fully unsecured and insecure public Wifi?
Plus, 5 to 15 Euro for various Starbucks drinks should be adequate to deter people from going there, but it is astonishing that there are soooo many people that have a 600 and higher Euro per month Starbucks habit. Those people, are not rich. Not even well off. Just a few are.
Last edited:
- Dec 23, 2014
- 8,852
- Oct 3, 2022
- 786
Summary. I will try to answer all the previous unanswered questions.
All the setup and configuration was done with the computer offline, in the order of presentation in the OP. I made sure that the MS Baseline IS a baseline by applying it first, followed by the Cloud Protectiion modification.
OSArmor has lots of restrictions applied, but they are mostly GUI based. This stops GUI based RATs hopefully. After realizing that the setup missed hardening, I re-did the whole configuration, added SysHardener as the second step, following the MS Baseline & Cloud Protection setup.'' SysHardener has all settings checkmarked except the uninstallation items. ( I think it can not re-install them )
Then I followed Andy's screenshots and also setup ConfigureDefender and FirewallHardening as directed.
Then I setup OSArmor and turned on all protections.
Then I setup Sysmon using this xml. It should delete any newly created executables.
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Andy was right, the test is equivalent to having 100 experienced hackers in the cafe. Not careful thinking on my part.
@oldschool, I have already tried Spynetgirl's hardening and WDAC programs. I will be doing further tests and will proabably use those.
The network environment was simple. I placed the test laptop directly connected to the modem+router via ethernet and set the DMZ to point to it.
I am still set on my path to figure out what free tools can remedy the situation best. My fortifiedubuntu.org setup PDF has around 17 technical layers, plus some administrative ones, but that is not an accurate way to measure things accross different OS's. But, some of them can be migrated over to Windows. My lazy side is screaming that Windows is a for-pay environment and you have to pay your way to good security. We'll see, we'll see.
All the setup and configuration was done with the computer offline, in the order of presentation in the OP. I made sure that the MS Baseline IS a baseline by applying it first, followed by the Cloud Protectiion modification.
OSArmor has lots of restrictions applied, but they are mostly GUI based. This stops GUI based RATs hopefully. After realizing that the setup missed hardening, I re-did the whole configuration, added SysHardener as the second step, following the MS Baseline & Cloud Protection setup.'' SysHardener has all settings checkmarked except the uninstallation items. ( I think it can not re-install them )
Then I followed Andy's screenshots and also setup ConfigureDefender and FirewallHardening as directed.
Then I setup OSArmor and turned on all protections.
Then I setup Sysmon using this xml. It should delete any newly created executables.
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Andy was right, the test is equivalent to having 100 experienced hackers in the cafe. Not careful thinking on my part.
@oldschool, I have already tried Spynetgirl's hardening and WDAC programs. I will be doing further tests and will proabably use those.
The network environment was simple. I placed the test laptop directly connected to the modem+router via ethernet and set the DMZ to point to it.
Andy has these nailed. The attack highly likely involved some of those. And the test machine was ill prepared. But then, these all have to do with the landing. The machine idealy should be able to defend itself after the landing took place. However, the setup was not prepared for the Evasion stage of the attack ( see Mitre Att&ck) where the attacker would be able to assess and find out what defenses are onboard and then work his way around them or deactivate them one after the other.
I am still set on my path to figure out what free tools can remedy the situation best. My fortifiedubuntu.org setup PDF has around 17 technical layers, plus some administrative ones, but that is not an accurate way to measure things accross different OS's. But, some of them can be migrated over to Windows. My lazy side is screaming that Windows is a for-pay environment and you have to pay your way to good security. We'll see, we'll see.
Last edited:
- Oct 16, 2022
- 632
- Dec 23, 2014
- 8,852
You can post in the H_C thread:
Hard_Configurator - Windows Hardening Configurator
Post updated in January 2025. The current version can be downloaded from GitHub: https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_7.0.0.1.exe The previous version can be downloaded from Softpedia...
malwaretips.com
- Dec 23, 2014
- 8,852
Yes, the setup must be done in a specific order to avoid conflicts and misconfiguration.
- MS Baseline + some policies must be reset to Not Configured to avoid conflict with WHHLight
- WHHLight + tools
- OSARmor
- Sysmon
Some more work must be done to avoid conflicts. For example:
- In some cases, OSARmor blocks viewing the Logs from WHHLight tools (notepad blocked due to high privileges),
- Sysmon can block WHHLight tools,
- Sysmon will block OSARmor and WHHLight updates.
Last edited:
bazang
Level 13
- Jul 3, 2024
- 605
The user needs an implementation procedure documented otherwise they cannot determine what is conflicting with what by using a reverse procedure to make the determination.
Often I see this sort of over-lapping & potentially conflicting security configuration result in the system having to clean install Windows and then rebuilt it.
- Oct 3, 2022
- 786
I understand all that already.
There are specific steps I follow in sequence in order to disable protection when I do investigation or other things.
I am following defense in depth and overlaps in protection is by choice.
Last edited:
- Oct 3, 2022
- 786
One thing that I informed Andy about but did not post in this thread is that VCRuntime140_1.dll has a popup by an app announcing that it is missing at reboot. This can have serious concequences as security programs can break. Hackers are resourceful and will find weaknesses t to exploit where you least expect it.
- Dec 23, 2014
- 8,852
- Oct 3, 2022
- 786
The firewall was at default settings, I did not modify anything.( I trust Microsoft knows best !!?? ) I didn't configure the firewall because I only know how to toggle swtiches in apps.
) I didn't configure the firewall because I only know how to toggle swtiches in apps.
Last edited:
Similar threads
