New Update Simple Windows Hardening

[wat0114]

Sometimes there are ways to craft script files or use command lines that can bypass simple user space file blocking. So blocking sponsors is just an additional security layer should that happen. For example you can use a file type not covered by typical SRP such as .svg.

Agreed, and I do use OSArmor along with H_C to cover both scenarios of blocking scripts. But I think I can provide evidence as seen below where in the first partial log snippet from H_C events, H_C blocks the sample.hta script directly, without need to block a command line where the LOLBin might be involved.

Access to C:\Users\myself\Desktop\sample.hta has been restricted by your Administrator by the default software restriction policy level.

In the second log snippet taken from OSArmor's logs, I have temporarily disabled H_C's "Default Deny", and this is where OSA leaps into action blocking "suspicious command line strings". For this part of the test I also disabled in OSA "Block execution of uncommon scripts".

Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\WINDOWS\System32\WScript.exe" "C:\Users\myself\Desktop\ClsTS.vbs"

So isn't WScript in the command line the LOLBin?

Either way, there is lots of overlap with these two utilities - maybe too much even - that can effectively block scripting type attacks.

EDIT

for better clarity, below is the same .vbs file blocked by H_C's SRP settings, where it kicks in before OSA.

 

[wat0114]

Most users cannot figure out command line blocks. Some security enthusiasts can. Having the user make a decision on what command lines to allow or disallow is almost a futile enterprise. It is better to block the process, which is how Microsoft intended.

In my case, that's okay, since to me it's just a Parent (LOLBin) triggering a Child (script). I like OSA as I see it as a kind of Windows hardening tool on steroids Ultimately, I was trying to support Andy's debate with Kees earlier in this thread by use of a test scenario, as well as an attempt to satisfy my own curiosity.

 

[Azerty123]

hi @Andy Ful

i would like to ask how to block BitsTransfer because even if PowerShell is blocked with a firewall hardening tool it is still able to download from the internet.

$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination

 

[Kongo]

SWH ver. 1.0.1.0 (stable version)

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening.exe

It is functionally equal to the latest beta, except for some code optimisation and some minor changes.

I think you linked the old version

 

[Azerty123]

C:\WINDOWS\System32\svchost.exe -k netsvcs -p

It cannot be blocked in the firewall as the BITS utilizes svchost.exe (not powershell) to do the actual file download.

To disable BITS you have to disable the service.

We cannot block BITS services, as it is needed for Windows system updates.

 

[wat0114]

We cannot block BITS services, as it is needed for Windows system updates.

What I do is restrict svchost.exe to specific Microsoft updates server IP address ranges to tcp ports 80,443. This does not block BITS, but it restricts it to safe remote servers.

 

[Andy Ful]

SWH ver. 1.0.1.0 (stable version)

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening.exe

It is functionally equal to the latest beta, except for some code optimization and some minor changes.

Apologies. The correct link to the new version is :

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_1010.exe

What is new?
https://github.com/AndyFul/Hard_Configurator/blob/master/Simple Windows Hardening/SWH_Changelog.txt

Edit - added the link to changelog.

 

[Andy Ful]

hi @Andy Ful

i would like to ask how to block BitsTransfer because even if PowerShell is blocked with a firewall hardening tool it is still able to download from the internet.

$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination

This command invokes BITS service and cannot be normally blocked. BITS is used by the system for important tasks. It is better to block something that could run PowerShell (and other LOLBins). That is also the main purpose of SWH.

Post edited.

 

[Andy Ful]

It seems that AVs improved the detection of running PowerShell by the EXE malware. Yesterday, I tested ConfigureDefender with installed Bitdefender Total Security to check a possible false positive detection. Bitdefender allowed ConfigureDefender but blocked PowerShell actions started by ConfigureDefender. That is why malware samples avoid running PowerShell (LOLBins) via EXE files and prefer scripting methods.

 

[wat0114]

That might make sense for enterprise, but not for a home user. The discussion of why would take a multi-paged thread of its own.

Well it works for me, and I'm a home user.

 

[The_King]

It seems that AVs improved the detection of running PowerShell by the EXE malware. Yesterday, I tested ConfigureDefender with installed Bitdefender Total Security to check a possible false positive detection. Bitdefender allowed ConfigureDefender but blocked PowerShell actions started by ConfigureDefender. That is why malware samples avoid running PowerShell (LOLBins) via EXE files and prefer scripting methods.

There is an option in BTS to scan scripts which is turned off by default. Does enabling this help block malware scripts?

Spoiler: Scan scripts

If you have any recommended settings with BTS and ConfigureDefender or SWH I would greatly appreciate it.

 

[Andy Ful]

There is an option in BTS to scan scripts which is turned off by default. Does enabling this help block malware scripts?

Spoiler: Scan scripts

View attachment 261487

If you have any recommended settings with BTS and ConfigureDefender or SWH I would greatly appreciate it.

The "Scan scripts" option can be turned ON even when using SWH. Scripts are usually a part of an attack that can also use payloads (EXE, MSI, DLL, etc.). Bitdefender will add some suspiciousness points when inspecting the script content. So, the final evaluation of the attack will improve. Furthermore, this can also improve removing the malware leftovers.

There is no reason to use ConfigureDefender with Bitdefender. My test was intended to check if the submission to Bitdefender (about whitelisting ConfigureDefender) was accepted. Bitdefender signatures are used by several AVs and false-positive detection can increase the VirusTotal detections of ConfigureDefender. As we could see my submission was accepted by Bitdefender only on the signature level, but still, the ATP features of Bitdefender blocked the actions related to PowerShell.

 

[Azerty123]

hi @Andy Ful

is there a way you could add an option to block USB malware that is auto executed via autorun.inf like this tool

NoVirusThanks: Free Security Software & Cyber Security

Security software to protect your PC from malware. Security services for a safer Internet. Information Technology, Cyber Security and Security Solutions.

www.novirusthanks.org

 

[Andy Ful]

hi @Andy Ful

is there a way you could add an option to block USB malware that is auto executed via autorun.inf like this tool

NoVirusThanks: Free Security Software & Cyber Security

Security software to protect your PC from malware. Security services for a safer Internet. Information Technology, Cyber Security and Security Solutions.

www.novirusthanks.org

There is no such malware for several years. The USB Autorun feature is disabled by default from Windows Vista SP2.
The known USB malware mostly uses a shortcut trick (blocked by SWH). In the past, some malware used also the Explorer icon exploit (patched several years ago).

 

[Morro]

The following question may seem unnecessary, but I rather ask to be sure. When updating to the latest version, do I have to do something special, like deactivating the SRP and Windows Hardening rules before updating? Or can I just simply update like other programs.

 

[Andy Ful]

The following question may seem unnecessary, but I rather ask to be sure. When updating to the latest version, do I have to do something special, like deactivating the SRP and Windows Hardening rules before updating? Or can I just simply update like other programs.

The new version accepts the previous settings. There is one new setting (SRP Policy Scope) that can be also configured (it was set silently to Standard in the previous version of SWH).

 

[Morro]

The new version accepts the previous settings. There is one new setting (SRP Policy Scope) that can be also configured (it was set silently to Standard in the previous version of SWH).

Thank you Andy Ful.

 

[Andy Ful]

Thank you Andy Ful.

If you look at the SWH changelog:
https://github.com/AndyFul/Hard_Configurator/blob/master/Simple Windows Hardening/SWH_Changelog.txt
then there is also another addition in the new version (in point 2).
So, you can also add manually two file extensions: ELF and SLK.
These file extensions are also included in the default list of protected extensions. They can be added automatically by restoring the default extensions or applying Paranoid Extensions.

 

[Andy Ful]

Mekotio Banking Trojan​

https://thehackernews.com/2021/11/mekotio-banking-trojan-resurfaces-with.html
https://malwaretips.com/threads/mek...-new-attacking-and-stealth-techniques.110791/



Simple Windows Hardening settings can break the infection chain just after unpacking the malware (level 3) - the BAT script will be blocked.
It is worth mentioning that on the last infection level (6) the above malware uses three files: AHK interpreter + AHK script + DLL payload.
Using the AHK scripting is also possible via the compiled executable (EXE malware). Simple Windows Hardening does not block EXE files, but it will break the infection chain very quickly by blocking VBS or PS scripting:

AHK RAT Loader Used in Unique Delivery Campaigns[/URL]

 

[oldschool]

Unless a security software takes care of all this for a typical user, they will simply click "Allow" and get infected. More often not this is what end users do. They cannot handle alerts.

Except SWH alerts are simply Windows systems notifications without the typical "Allow" option of most software. Depending on the system and the user's needs it's set and forget.