New Update Simple Windows Hardening

F

ForgottenSeer 92963

One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
I have blocked mshtma.exe in Windows Exploit Protection (by simply enabling all protections) and enabled Code Integrity Guard for LOLbins/sponsors (without any incidents or problems since using Windows 10). LolBins with label 'binaries' hardened using Code Integrity Guard: LOLBAS

Since you made these great SRP programs, I stopped tweaking SRP in my Windows Pro and also did not bother to read about latest LOLbins misuge in staged attacks.
But BTSadmin rings a bell: Is BTSAdmin not used for Windows updates anymore?
 
Last edited by a moderator:

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
549
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS
Lolbins are relatively new to me, I heard the term used here and there on MT.

My question is should the exe files in the list you posted be blocked from accessing the internet through firewall rules?
 
  • Like
Reactions: Nevi

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
549
yes they can be blocked via the firewall rules apart from Bitsadmin which you have use windows defender exploit protection.
Is this setting correct for blocking Bitsadmin?
W32block.jpg
 
  • Like
Reactions: Nevi
F

ForgottenSeer 92963

Blocking all LOLBins has never caused a breakage that cannot be fixed, if needed. Millions block LOLBins daily and the world has never had an IT meltdown. If anyone hadn't noticed, the LOLBin list is quite manageable as it changes slowly.
Thanks for your answer. I had a futile discussion to add block rules for sponsors also in SWH with @Andy Ful , but he declined in fear it might break/complicate things for ordinary user. Maybe you could give it another try to convince him to block sponsors in SWH :)
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
SWH is a simple application for home users that should require only minimal adjustments. I am trying to avoid unnecessary options. SWH is intended to prevent fileless attacks. It can already prevent attacks with LOLBins, without blocking LOLBins.

Let's make an experiment. If someone can find a few malware used in widespread attacks that use LOLBins and cannot be prevented by SWH + FirewallHardening, then I will consider adding the option <Block LOLBins> to SWH.

:)(y)
 
Last edited:
F

ForgottenSeer 92963

@Andy Ful

:) I am challenging you, not criticizing you (y)

At the moment I have exported the Firewall Hardening rules from Hard_Configirator to a regfile (see attached files) .

Two questions
1. Are these the FW hardening rules you mentioned above (need I add more)?
2. Could you make the FW hardening a seperate module (it is part of H_C not SWH)?


EDIT thanks @SeriousHoax
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
SWH is a part of modular security. Other modules (separate tools) are available as standalone applications included in the H_C_HardeningTools (ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen).

The necessity of using other modules can depend on the AV, installed software, home environment, user's safe habits, and desired security level. For example, if one uses MS Office in daily work then it is recommended to use Defender with ConfigureDefender, or with DocumentsAntiExploit tool. If one uses Norton 360 as an AV, then SWH will be probably enough. Many users will be happy just with SWH + ConfigureDefender.

If the user is cautious, then (with some basic knowledge and a few safe habits) a good AV + RunBySmartscreen will be enough. For happy clickers or children protection, I would recommend using Hard_Configurator instead of SWH (and hardening tools). Hard_Configurator is also a good application to learn about Windows security and safe habits.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The purpose of SWH and H_C_HardeningTools is to support the AV, assuming that AV provides general real-time protection, especially for *.exe and *.msi files.
  1. SWH - the AV support against fileless attacks.
  2. ConfigureDefender - the Defender support for Network protection, MS Office, Outlook, Adobe Reader, anti-ransomware, USB disks, non-prevalent executables, and advanced threat protection.
  3. FirewallHardening - the AV support in the case when *.exe or *.msi malware uses LOLBins (directly or via code injections) to download payloads.
  4. DocumentsAntiExploit (not SWH setting) - the AV support for MS Office and Adobe Reader.
  5. RunBySmartscreen - on-demand support for AV and Windows SmartScreen (files without MOTW, DLL hijacking).
Some AVs do not need the support of all tools. For example, Norton 360 covers all these tools except SWH.
The tools: SWH, ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen, are only configurators of Windows built-in features. These tools do not run as real-time security processes. So, the additional real-time protection is provided by already existent Windows features that have been enabled/configured by these tools.
 
Last edited:

dabluez98

Level 3
Verified
Oct 2, 2018
138
I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?
Simply use KIS with @harlan4096 settings and you will not need even SWH.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
It can already prevent attacks with LOLBins, without blocking LOLBins.

Actually, don't the LOLBins simply launch the script types such as .js, .vbs, .js, .hta...etc, so then if scripts are blocked via SRP for instance, then really no need to block the LOLBins anyway?

EDIT

to be clear, I'm supporting your statement, not that you need support :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top