I am not trying to convince anybody to do anything nor am I promoting anything. I have no incentive to convince anyone to do anything. I could care less what they do.
My replies were directed only to @Andy Ful and not anybody else.
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
My replies were directed only to @Andy Ful and not anybody else.
Nope you replied to me in this post and only replied to fun fact 3 and ignored the two fun facts in this post
This is not the typical behavior of a compliance officer "I am not trying to convince anybody to do anything nor am I promoting anything. I have no incentive to convince anyone to do anything. I could care less what they do.", no wonder the 10.000 to hundred thousends endpoints you oversee are a mess.
Last edited by a moderator:
Nobody replied to you. It was to correct your misinformation.
You should stop getting triggered by what others say or do here at MT and focus on your data entry job.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
Guys, this interesting discussion becomes more and more personal. I know from experience on MT, that some posts can be interpreted differently by readers and sometimes a particular post does not exactly reflect what really the author thinks. We discussed the necessity of blocking LOLBins in H_C at home on Windows 10+. I think that all of us can agree with:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-1032445
Of course, this will not remove some differences in how we think about security, but this thread is not for that.
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-1032445
Of course, this will not remove some differences in how we think about security, but this thread is not for that.
I had hoped, I could hangout with important piepels (dutch for people) overseeing hundred thousends of endpoints, what was I thinking? I Will do as I am told and focus on my data entry job
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
Code integrity guard (for powershell.exe or powershell_ise.exe) ensures that all binaries loaded or injected into a powershell.exe or powershell_ise.exe process are digitally signed by Microsoft.What effect does configuring powershell.exe and powershell_ise.exe with Code Integrity Guard in Exploit Protection?I believe @Max90 uses this in his config.
This can help to mitigate some attacks, but most attacks use PowerShell in a different way.
For example, when PowerShell code runs rundll32 LOLBin to execute a DLL payload, the CIG does not check the DLL payload. It will be executed even if you protect powershell.exe via CIG. You should use CIG for rundll32.exe to block that DLL payload.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
It would be interesting to see how invasive can be the CIG mitigation for rundll32.exe and regsvr32.exe. These LOLBins are commonly used in attacks.
The blocks can be controlled via Event Viewer (ID = 12):
Applications and Services\Microsoft\Windows\Security-Mitigations\Kernel Mode
Applications and Services\Microsoft\Windows\Security-Mitigations\User Mode
The blocks can be controlled via Event Viewer (ID = 12):
Applications and Services\Microsoft\Windows\Security-Mitigations\Kernel Mode
Applications and Services\Microsoft\Windows\Security-Mitigations\User Mode
Last edited:
@Andy Ful and @oldschool
I have enabled Code Integrity Guard for
a) Important system processes also running at Medium IL
svchost.exe
explorer.exe
sihost.exe
dllhost.exe
UserOOBEBroker.exe
RuntimeBroker.exe
ApplicationFrameHost.exe
b) Powerful system processes (are blocked to run as standard user by SRP)
rundll32.exe (running DLL's)
regsvr32.exe (registering DLL's)
regini (setting/changing registry values/permission)
cacls and icacls.exe (setting file permissions)
forfiles (passing arguments/commands to files)
powershell.exe (it is the only command processor I have not disabled)
c) Processes which are nearly always running (and might be tempted to target by a sarcastic malware writer)
smartscreen.exe
SecurityHealthSystray.exe
widgets.exe
d) Windows processes easy to target, because every Windows PC has them
Write.exe
Notepad.exe
MSpaint.exe
Calc.exe
e) Microsoft Office programs and Edge broker process (renderer has SIG enabled by default) for same reason (most of corporate PC's have them)
This is only possible when you use Microsoft Defender as Antivirus, because many 3p Antivirus inject DLL's in vulnarable processes.
This is based on information I found on a website for admins (I forgot which) where admins shared info on which processes could be added to Code Integrity without running into performance or compatibilty problems. When I recall correctly they used three two for selecting the processes
1. System processes to important not to run in a pristine state (only running Microsoft signed or co-signed stuff) = (my a and b)
2. Processes nearly always running in medium IL (= my c) or installed (my d and e) these are the often attacked because malware writers know they are on a PC.
They considered the best prestine state as running virtualized, the second as Protected Process and third with Code Integrity Guard
I have enabled Code Integrity Guard for
a) Important system processes also running at Medium IL
svchost.exe
explorer.exe
sihost.exe
dllhost.exe
UserOOBEBroker.exe
RuntimeBroker.exe
ApplicationFrameHost.exe
b) Powerful system processes (are blocked to run as standard user by SRP)
rundll32.exe (running DLL's)
regsvr32.exe (registering DLL's)
regini (setting/changing registry values/permission)
cacls and icacls.exe (setting file permissions)
forfiles (passing arguments/commands to files)
powershell.exe (it is the only command processor I have not disabled)
c) Processes which are nearly always running (and might be tempted to target by a sarcastic malware writer)
smartscreen.exe
SecurityHealthSystray.exe
widgets.exe
d) Windows processes easy to target, because every Windows PC has them
Write.exe
Notepad.exe
MSpaint.exe
Calc.exe
e) Microsoft Office programs and Edge broker process (renderer has SIG enabled by default) for same reason (most of corporate PC's have them)
This is only possible when you use Microsoft Defender as Antivirus, because many 3p Antivirus inject DLL's in vulnarable processes.
This is based on information I found on a website for admins (I forgot which) where admins shared info on which processes could be added to Code Integrity without running into performance or compatibilty problems. When I recall correctly they used three two for selecting the processes
1. System processes to important not to run in a pristine state (only running Microsoft signed or co-signed stuff) = (my a and b)
2. Processes nearly always running in medium IL (= my c) or installed (my d and e) these are the often attacked because malware writers know they are on a PC.
They considered the best prestine state as running virtualized, the second as Protected Process and third with Code Integrity Guard
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
No, but I am running a nearly Microsoft only setup (only using Macrium and Syncback as other software), so never ran into problems (since 2019). Because I get bored with the same setup, I probably implement some corner case hardening practices. The reasons of the people on that admin website made sense to me (protecting the pristine state of important and powerful processes and raising the bar for easy to target always running or installed processes to lower the predictable succes of intrusions). I think the website was called the lazy admin or something like that).
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
You can easily check it by looking in the Event Viewer.
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-1032515
@Andy Ful Restarted my PC and ran all programs, only seeing Information events, so nothing is blocked or goes wrong (for these critical processes besides the defaults I have enabled: block remote images, enable CIG, block, disable extension points and validate image dependency).
(for these critical processes besides the defaults I have enabled: block remote images, enable CIG, block, disable extension points and validate image dependency).
Last edited by a moderator:
DLL injection into the list of processes given would be a very uncommon attack method. The configuration of Code Integrity Guard for them is basically just PoC based upon speculation that it can happen. Morphisec discovered a bypass of CIG in 2018 but it was never any kind of threat. It is an interesting discussion topic though.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
I also cannot see any blocks on my computer. There are several scheduled tasks that use rundll32, but they use Microsoft-signed DLLs (signed by catalog). If I correctly remember some web browser extensions can use rundll32 to run. There are probably some applications that can use rundll32 to run DLLs.@Andy Ful Restarted my PC and ran all programs, only seeing Information events, so nothing is blocked or goes wrong
View attachment 273908
This is correct. Internet Explorer. Not only that, but also IE used rundll32 to perform network checks.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
If I correctly remember, PowerSploit uses PowerShell code to inject EXE/DLL into powershell.exe (Invoke-ReflectivePEInjection). But it uses in-memory injection which probably can bypass CIG.
Anyway, there were several examples in the wild when DLLs were injected into rundll32, dllhost, svchost, Explorer, etc. But in fact, the attacker can use any process which is commonly used on users' computers.
Edit.
It seems that lsass, svchost, and taskhost are the most popular targets.
Process Injection Techniques used by Malware – Detection & Analysis - Security Investigation
The most common MITRE ATT&CK tactic utilized by attackers in their malware was Process Injection. Process injection is a common defense obfuscation technique used in malware that involves running customized code in another process's main memory. This is also defined as fileless malware As per...
www.socinvestigation.com
Last edited:
I have SIG enabled for all medium IL processes (so also TaskHost). I have not enabled SIG on lsass because it runs as ProtectedProcess (forgot what I had to enable on Windows 10).If I correctly remember, PowerSploit uses PowerShell code to inject EXE/DLL into powershell.exe (Invoke-ReflectivePEInjection). But it uses in-memory injection which probably can bypass CIG.
Anyway, there were several examples in the wild when DLLs were injected into rundll32, dllhost, svchost, Explorer, etc. But in fact, the attacker can use any process which is commonly used on users' computers.
Edit.
It seems that lsass, svchost, and taskhost are the most popular targets.
Process Injection Techniques used by Malware – Detection & Analysis - Security Investigation
The most common MITRE ATT&CK tactic utilized by attackers in their malware was Process Injection. Process injection is a common defense obfuscation technique used in malware that involves running customized code in another process's main memory. This is also defined as fileless malware As per...
Because the hacker can inject a DLL i any process, but also wants his/her intrusion to be succesful on many Windows PC's they probably focussed on the most common ones. That is why those admins also advised enabled SIG for popular processes which were always running/installed.
Yes, IIRC the attack requires a reverse shell (e.g. via a weaponized document or an agent). That type of attack is thwarted easily by using SWH. Not really a threat to a home user - unless that home user is a member of National Security Bureau (Polish: Biuro Bezpieczeństwa Narodowego, BBN) with data on their system that a nation state adversary wants.
IIRC this was how Morphisec bypassed CIG.
The injection can be easily thwarted again by preventing execution of common file types. SWH is going to prevent these sorts of attacks. I'm sure there are corner cases where such an attack could succeed, but realistically they are not much of a threat. So hardening the system against them is overkill for the unlikely instance of a system exploit or other clever attack.
Adding a bunch of processes to CIG is the exploit protection equivalent of adding 250 LOLBins to a block list. While both can be done at the home user level, it just is not necessary for a home user except in extreme circumstances (e.g. a home user lives in a nation that oppresses dissidents and they are being targeted by the government; think FinSpy).
It is always good infos to know, just-in-case. Overall though, as you've previously stated, these sorts of configurations provide little additional protection.
My data collected from the field shows: svchost, explorer, taskhost and lsass (less commonly targeted now due to Microsoft's increased lsass memory protections).
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,488
SIG or CIG?
Process injections are used late in the infection chain. That is why I am interested in CIG mitigation for rundll32 and regsvr32 (DLL is loaded by these LOLBins) which are commonly used at the early stage. Such mitigations could be interesting when using only ConfigureDefender on Windows 10+. This possibility must be tested because the ASR prevalence rule may check DLLs when executed via rundll32 or regsvr32 (I am not sure).
Last edited:
Similar threads
-
- Sticky
