New FileFix attack runs JScript while bypassing Windows MoTW alerts
- Thread starter Parkinsond
- Start date
Tip: Use SRP (software restriction policy) to ban mshta.exe. Nobody uses it anymore. Same goes for cscript.exe. MS keeps old (vulnerable and mis-usable) things around to let people 'prolong their IT investments'. ChatGPT says it first appeared in 1999. (Win 98)
Andy Ful said:
The Kanthak correction to restore SRP functionality on Windows 11 ver.
22H2, works only when Smart App Control is OFF. If it is in Evaluate or ON
mode, then the invalid registry values are automatically restored after
restarting Windows.
To restore SRP on all SAC modes, one should not delete registry values but
simply set the "RuleCount" value to 0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000
Andy Ful said:
The Kanthak correction to restore SRP functionality on Windows 11 ver.
22H2, works only when Smart App Control is OFF. If it is in Evaluate or ON
mode, then the invalid registry values are automatically restored after
restarting Windows.
To restore SRP on all SAC modes, one should not delete registry values but
simply set the "RuleCount" value to 0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000
Last edited:
I downloaded a full web page and found it really has no motw; does using rub-by-smartscreen adds the motw and solve such situation?
The HTA files (and many others) are blocked with an alert when run via "Run by SmartScreen":
SRP is still used on Windows Server editions. It is not so popular on Windows 11 because, from version 24H2, SRP is turned off by default (can be activated).
SRP is deprecated on Windows 10+ because there are new solutions available in Windows Pro and Enterprise editions (AppLocker and WDAC). But SRP is fully functional on all Windows versions:
Software Restriction Policies
Learn about Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8 and find links to technical information about SRP beginning with Windows Server 2003.
learn.microsoft.com
You can use the registry tweak you posted here and apply SRP via Windows Registry, Hard_Configurator, or WHHLight.
Avoid GPO on Windows 11, because it refreshes AppLocker (even if no rules), which automatically turns off SRP.
@Andy Ful by saying GPO, do you mean gpedit ? Even Local Security Policy?
If we use Local Security Policy, can't we just remember to set that registry RuleCount"=dword:00000000 whenever we finish modifying SRP rules?
If we use Local Security Policy, can't we just remember to set that registry RuleCount"=dword:00000000 whenever we finish modifying SRP rules?
GPO = Group Policy Object.
GPEedit and SecPol depend on GPO.
Yes. But, applying any Windows Policy (also non-SRP) via GPO turns off SRP. So using SRP and GPO is risky and requires caution. For most users, maintaining SRP via GPO is a challenge. Most SRP configurations available publicly have some serious flaws. The proper configurations require many rules and extended knowledge about Windows and SRP.
Last edited:
If they play with security restrictions of any sort and don't have drive image backups then they should really think twice.
You may also like...
-
FileFix Attack Exploits Windows File Explorer to Execute PowerShell Commands- Started by Wrecker4923
- Replies: 0
-
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia- Started by Captain Awesome
- Replies: 2
-
Windows PowerShell now warns when running Invoke-WebRequest scripts- Started by Parkinsond
- Replies: 1
-
7-Zip MotW bypass exploited in zero-day attacks against Ukraine- Started by Gandalf_The_Grey
- Replies: 1
-
WinRAR path traversal flaw still exploited by numerous hackers
- Started by Parkinsond
- Replies: 7