- Dec 23, 2014
- 8,837
OK. Turn it ON. We will see if something is blocked.
Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ
- Thread starter Victor M
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
OK. Turn it ON. We will see if something is blocked.
- Dec 23, 2014
- 8,837
It looks like you tried to install some tools. Did you turn off some WHHLight settings during the test?
Did you look into the OSArmor Log?
Did you look into the OSArmor Log?
- Oct 3, 2022
- 769
After I put the test machine onlime at 12:14am, I went on my main laptop. I did not do anything in addition after it was online.
- Oct 3, 2022
- 769
Do you want me to turn the frewallhardning logging on and then put the test machine online?
I took it offline to examine the machine for intrusion. If there is anything else you want me to do while offline please tell me now. Or else the attacker can come back and really make sure he erased all traces.
- Dec 23, 2014
- 8,837
Yes. Check if all WHHLight tools and Sysmon work as intended before connecting to the network. Do nothing during the test for one hour (fewer events to inspect). Disconnect from the network and make similar Logs (SWH, WDAC, FirewallHardening, Sysmon). I will look at them.
- Oct 3, 2022
- 769
bazang
Level 12
- Jul 3, 2024
- 557
They don't typically attempt to hack into your computer, send malicious emails, or try to get malware onto a victim's system. Direct attacks on Guest network connected devices are not very productive. Therefore, not the attack of choice. A direct attack is on the tinfoil hat fringe section of the attack bell curve.
The threat actors hack into the Guest network (typically targeting the router) and configure themselves as Man-in-the-Middle. They might scan for open ports and look for weaknesses, but what they are after are credentials that they can use, especially in replay attacks.
Although there is a small incidence of direct attacks. I suppose if one is paranoid about them then they harden their systems. I get it. However, it calls into question "Why do people take their mobile devices and do stuff online with valuable infos at Starbucks and use its network in the first place?"
Easy enough to resolve, use your mobile phone as a cellular network hotspot. If you have to purchase more data then is the peace-of-mind it provides worth it? Or just risk gamble and use fully unsecured and insecure public Wifi?
Plus, 5 to 15 Euro for various Starbucks drinks should be adequate to deter people from going there, but it is astonishing that there are soooo many people that have a 600 and higher Euro per month Starbucks habit. Those people, are not rich. Not even well off. Just a few are.
Last edited:
- Oct 3, 2022
- 769
Summary. I will try to answer all the previous unanswered questions.
All the setup and configuration was done with the computer offline, in the order of presentation in the OP. I made sure that the MS Baseline IS a baseline by applying it first, followed by the Cloud Protectiion modification.
OSArmor has lots of restrictions applied, but they are mostly GUI based. This stops GUI based RATs hopefully. After realizing that the setup missed hardening, I re-did the whole configuration, added SysHardener as the second step, following the MS Baseline & Cloud Protection setup.'' SysHardener has all settings checkmarked except the uninstallation items. ( I think it can not re-install them )
Then I followed Andy's screenshots and also setup ConfigureDefender and FirewallHardening as directed.
Then I setup OSArmor and turned on all protections.
Then I setup Sysmon using this xml. It should delete any newly created executables.
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Andy was right, the test is equivalent to having 100 experienced hackers in the cafe. Not careful thinking on my part.
@oldschool, I have already tried Spynetgirl's hardening and WDAC programs. I will be doing further tests and will proabably use those.
The network environment was simple. I placed the test laptop directly connected to the modem+router via ethernet and set the DMZ to point to it.
I am still set on my path to figure out what free tools can remedy the situation best. My fortifiedubuntu.org setup PDF has around 17 technical layers, plus some administrative ones, but that is not an accurate way to measure things accross different OS's. But, some of them can be migrated over to Windows. My lazy side is screaming that Windows is a for-pay environment and you have to pay your way to good security. We'll see, we'll see.
All the setup and configuration was done with the computer offline, in the order of presentation in the OP. I made sure that the MS Baseline IS a baseline by applying it first, followed by the Cloud Protectiion modification.
OSArmor has lots of restrictions applied, but they are mostly GUI based. This stops GUI based RATs hopefully. After realizing that the setup missed hardening, I re-did the whole configuration, added SysHardener as the second step, following the MS Baseline & Cloud Protection setup.'' SysHardener has all settings checkmarked except the uninstallation items. ( I think it can not re-install them )
Then I followed Andy's screenshots and also setup ConfigureDefender and FirewallHardening as directed.
Then I setup OSArmor and turned on all protections.
Then I setup Sysmon using this xml. It should delete any newly created executables.
<Sysmon schemaversion="4.90">
<!-- Capture all hashes -->
<HashAlgorithms>MD5,SHA256</HashAlgorithms>
<EventFiltering>
<!-- Block executable file creations -->
<FileBlockExecutable onmatch="include">
<TargetFilename condition="begin with">C:</TargetFilename>
</FileBlockExecutable>
</EventFiltering>
</Sysmon>
Andy was right, the test is equivalent to having 100 experienced hackers in the cafe. Not careful thinking on my part.
@oldschool, I have already tried Spynetgirl's hardening and WDAC programs. I will be doing further tests and will proabably use those.
The network environment was simple. I placed the test laptop directly connected to the modem+router via ethernet and set the DMZ to point to it.
Andy has these nailed. The attack highly likely involved some of those. And the test machine was ill prepared. But then, these all have to do with the landing. The machine idealy should be able to defend itself after the landing took place. However, the setup was not prepared for the Evasion stage of the attack ( see Mitre Att&ck) where the attacker would be able to assess and find out what defenses are onboard and then work his way around them or deactivate them one after the other.
I am still set on my path to figure out what free tools can remedy the situation best. My fortifiedubuntu.org setup PDF has around 17 technical layers, plus some administrative ones, but that is not an accurate way to measure things accross different OS's. But, some of them can be migrated over to Windows. My lazy side is screaming that Windows is a for-pay environment and you have to pay your way to good security. We'll see, we'll see.
Last edited:
Similar threads
