Q&A Simple Windows Hardening

wat0114

Level 4
Verified
Apr 5, 2021
182
1,277
Sometimes there are ways to craft script files or use command lines that can bypass simple user space file blocking. So blocking sponsors is just an additional security layer should that happen. For example you can use a file type not covered by typical SRP such as .svg.

Agreed, and I do use OSArmor along with H_C to cover both scenarios of blocking scripts. But I think I can provide evidence as seen below where in the first partial log snippet from H_C events, H_C blocks the sample.hta script directly, without need to block a command line where the LOLBin might be involved.

Code:
Access to C:\Users\myself\Desktop\sample.hta has been restricted by your Administrator by the default software restriction policy level.

In the second log snippet taken from OSArmor's logs, I have temporarily disabled H_C's "Default Deny", and this is where OSA leaps into action blocking "suspicious command line strings". For this part of the test I also disabled in OSA "Block execution of uncommon scripts".

Code:
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\WINDOWS\System32\WScript.exe" "C:\Users\myself\Desktop\ClsTS.vbs"

So isn't WScript in the command line the LOLBin?

Either way, there is lots of overlap with these two utilities - maybe too much even - that can effectively block scripting type attacks.

EDIT

for better clarity, below is the same .vbs file blocked by H_C's SRP settings, where it kicks in before OSA.

VBS 03.png
 
Last edited:

wat0114

Level 4
Verified
Apr 5, 2021
182
1,277
Most users cannot figure out command line blocks. Some security enthusiasts can. Having the user make a decision on what command lines to allow or disallow is almost a futile enterprise. It is better to block the process, which is how Microsoft intended.

In my case, that's okay, since to me it's just a Parent (LOLBin) triggering a Child (script). I like OSA as I see it as a kind of Windows hardening tool on steroids :) Ultimately, I was trying to support Andy's debate with Kees earlier in this thread by use of a test scenario, as well as an attempt to satisfy my own curiosity.
 
Last edited:

Azerty123

New Member
Verified
Mar 29, 2021
7
17
hi @Andy Ful

i would like to ask how to block BitsTransfer because even if PowerShell is blocked with a firewall hardening tool it is still able to download from the internet.

Code:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination
 
Last edited by a moderator:

Azerty123

New Member
Verified
Mar 29, 2021
7
17
C:\WINDOWS\System32\svchost.exe -k netsvcs -p

It cannot be blocked in the firewall as the BITS utilizes svchost.exe (not powershell) to do the actual file download.

To disable BITS you have to disable the service.


We cannot block BITS services, as it is needed for Windows system updates.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
hi @Andy Ful

i would like to ask how to block BitsTransfer because even if PowerShell is blocked with a firewall hardening tool it is still able to download from the internet.

Code:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination

This command invokes BITS service and cannot be normally blocked. BITS is used by the system for important tasks. It is better to block something that could run PowerShell (and other LOLBins). That is also the main purpose of SWH.

Post edited.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
It seems that AVs improved the detection of running PowerShell by the EXE malware. Yesterday, I tested ConfigureDefender with installed Bitdefender Total Security to check a possible false positive detection. Bitdefender allowed ConfigureDefender but blocked PowerShell actions started by ConfigureDefender. That is why malware samples avoid running PowerShell (LOLBins) via EXE files and prefer scripting methods.
 

The_King

Level 12
Verified
Aug 2, 2020
551
6,033
It seems that AVs improved the detection of running PowerShell by the EXE malware. Yesterday, I tested ConfigureDefender with installed Bitdefender Total Security to check a possible false positive detection. Bitdefender allowed ConfigureDefender but blocked PowerShell actions started by ConfigureDefender. That is why malware samples avoid running PowerShell (LOLBins) via EXE files and prefer scripting methods.
There is an option in BTS to scan scripts which is turned off by default. Does enabling this help block malware scripts?
BTS scan script.jpg

If you have any recommended settings with BTS and ConfigureDefender or SWH I would greatly appreciate it.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
There is an option in BTS to scan scripts which is turned off by default. Does enabling this help block malware scripts?

If you have any recommended settings with BTS and ConfigureDefender or SWH I would greatly appreciate it.

The "Scan scripts" option can be turned ON even when using SWH. Scripts are usually a part of an attack that can also use payloads (EXE, MSI, DLL, etc.). Bitdefender will add some suspiciousness points when inspecting the script content. So, the final evaluation of the attack will improve. Furthermore, this can also improve removing the malware leftovers.

There is no reason to use ConfigureDefender with Bitdefender. My test was intended to check if the submission to Bitdefender (about whitelisting ConfigureDefender) was accepted. Bitdefender signatures are used by several AVs and false-positive detection can increase the VirusTotal detections of ConfigureDefender. As we could see my submission was accepted by Bitdefender only on the signature level, but still, the ATP features of Bitdefender blocked the actions related to PowerShell.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
hi @Andy Ful

is there a way you could add an option to block USB malware that is auto executed via autorun.inf like this tool

There is no such malware for several years. The USB Autorun feature is disabled by default from Windows Vista SP2.(y)
The known USB malware mostly uses a shortcut trick (blocked by SWH). In the past, some malware used also the Explorer icon exploit (patched several years ago).
 
Last edited:

Morro

Level 12
Verified
Jul 8, 2012
556
1,077
The following question may seem unnecessary, but I rather ask to be sure. When updating to the latest version, do I have to do something special, like deactivating the SRP and Windows Hardening rules before updating? Or can I just simply update like other programs. :unsure:
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
The following question may seem unnecessary, but I rather ask to be sure. When updating to the latest version, do I have to do something special, like deactivating the SRP and Windows Hardening rules before updating? Or can I just simply update like other programs. :unsure:
The new version accepts the previous settings. There is one new setting (SRP Policy Scope) that can be also configured (it was set silently to Standard in the previous version of SWH).
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740
Thank you Andy Ful.

If you look at the SWH changelog:
https://github.com/AndyFul/Hard_Configurator/blob/master/Simple Windows Hardening/SWH_Changelog.txt
then there is also another addition in the new version (in point 2).
So, you can also add manually two file extensions: ELF and SLK.
These file extensions are also included in the default list of protected extensions. They can be added automatically by restoring the default extensions or applying Paranoid Extensions.

1635621769582.png
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,272
42,740

Mekotio Banking Trojan

https://thehackernews.com/2021/11/mekotio-banking-trojan-resurfaces-with.html
https://malwaretips.com/threads/mek...-new-attacking-and-stealth-techniques.110791/

1636022922550.png

Simple Windows Hardening settings can break the infection chain just after unpacking the malware (level 3) - the BAT script will be blocked.
It is worth mentioning that on the last infection level (6) the above malware uses three files: AHK interpreter + AHK script + DLL payload.
Using the AHK scripting is also possible via the compiled executable (EXE malware). Simple Windows Hardening does not block EXE files, but it will break the infection chain very quickly by blocking VBS or PS scripting:

mfEzzee-9cMgGVxvJ_nAta82emy25RvnvZAuSyvwCa7ca1rJbA8lOm9nBkBremgWyj0_IFSbn4bXcmoMS6X0kZfvh8ahrZ3W5aaRSMte5UY6Ep3TY1xaf2ePEiMC5FhWIkftxKaH


AHK RAT Loader Used in Unique Delivery Campaigns[/URL]
 

oldschool

Level 63
Verified
Mar 29, 2018
5,237
38,218
Unless a security software takes care of all this for a typical user, they will simply click "Allow" and get infected. More often not this is what end users do. They cannot handle alerts.
Except SWH alerts are simply Windows systems notifications without the typical "Allow" option of most software. Depending on the system and the user's needs it's set and forget.
 
Top