Question Simple Windows Hardening

[Andy Ful]

@Andy Ful
It gave a warning (see screenshot) In doubt I did not click OK, just closed the prompt. It went ahead anyway. After, apprehensively did checks for yesterday issues, it seems to be working fine.

View attachment 262976

That is OK.

 

[Azerty123]

@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.

 

[Andy Ful]

@Andy Ful could you make a portable firewall tool that can only allow internet access to specified apps (browsers,IDM,Antivirus,svchost...etc) and block everything else (lolbins,Office macros,adobe,malwares...etc) from accessing the internet.
Binisoft WFC can do that but i was wandering if a portable tool can also do it.

I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.

 

[Azerty123]

I could do it, but I am not convinced if it would be useful. If one wants such an application then Binisoft WFC is already here. Furthermore, one can do this using only Windows Firewall. Simply block all outbound connections and allow Svchost. Next, you can run FirewallHardening without any BlockList, enable Logging events, and use <Blocked Events> to identify the blocked processes. Finally, create the Allow rule in Windows Firewall for each blocked program.

This will not be possible with the upcoming FirewallHardening ver. 2011, because the new version will display only events related to the FirewallHaredening BlockList.

Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.

 

[Azerty123]

by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination

 

[Andy Ful]

Why do you think it would not be useful because with a setup like that a malware can only connect to the internet using BITS Jobs (Powershell, Bitsadmin, desktopimgdownldr) and we can block these lolbins using Defender exploit protection.

or we can even disable the startup of BITS service.

There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.

 

[Andy Ful]

by the way i just disabled BITS service and still windows update is working (Windows 11) but the lolbins that use BITS jobs can not connect to the internet.

Powershell BITS Command:
$source = 'http://speedtest.tele2.net/100MB.zip'
$destination = 'c:\100MB.zip'
Start-BitsTransfer -Source $source -Destination $destination

You did not disable BITS but only stopped the service. When BITS service is disabled, then it cannot be started with standard rights. But, it can be enabled with higher privileges and used to download the payload, anyway.

 

[Azerty123]

Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them

 

[Andy Ful]

Yes they can with admin privileges

Powershell Command:
Set-Service bits -StartupType manual
start-service bits

any ideas how to prevent them

Use SWH or another method to restrict scripting and access to the CmdLine.

 

[Azerty123]

for anyone looking more info on BITS this the most detailed article i found

Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS)

BITS Overview Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or ...

blog.menasec.net

 

[Azerty123]

i deleted bits service but somehow windows updates is working while powershell or bitsadmin aren't

Powershell Command:
sc.exe delete "bits"

 

[Andy Ful]

SWH and Spider-Miner

This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.

The file identifies itself as “spiderman_net_putidomoi.torrent.exe,” which translates from Russian to “spiderman_no_wayhome.torrent.exe.” The origin of the file is most likely from a Russian torrenting website.
...
The program starts two powershell encoded commands, that adds the following extended exclusions to Microsoft Defender: ignore all folders under the user profile, the system drive (i.e. “c:\\”), and all files with extensions of “.exe” or “.dll”.

Spider-Miner: With Great Power Comes Great Problems! - Stay updated with the latest cybersecurity news.

blog.reasonsecurity.com

SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).
From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.

If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.

It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.

 

[Telos]

Just upgraded to W11. Are there compatibility issues between SWH and W11? Does reset to W11 default work cleanly?

TIA!

 

[Digmor Crusher]

I'm using it on my newish laptop with W11 that I rarely open, but no issues that I can see.

 

[SecureKongo]

Just upgraded to W11. Are there compatibility issues between SWH and W11? Does reset to W11 default work cleanly?

TIA!

Its fully compatible: Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator

 

[Gandalf_The_Grey]

Just be sure to use the latest version Simple Windows Hardening ver. 1.0.1.0.

This version works on Windows 10 and Windows 11.

Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator

github.com

 

[Andy Ful]

Are there compatibility issues between SWH and W11?

No.

Does reset to W11 default work cleanly?

TIA!

Yes.

 

[Telos]

No.

This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.

 

[Local Host]

There is not any advantage of using a portable application over Binisoft WFC, for that. It could not extend the Windows built-in features, so it would not be much easier than using Windows Firewall native options, except the option of FirewallHardening to see the blocked outbound connections. The Windows Event Log cannot separate inbound and outbound connections, so it is not especially useful to see only outbound blocked connections.

The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).

SVHost is the key to make your Firewall made of steel against malware as well, so is wise to only allow specific connections through it, the malware described above would never work on my PC, despite having WD turned OFF.

 

[Andy Ful]

This did not go well. On first launch I got error warnings, and the app did not open. I relaunched it and it then appeared with a note to reboot.

Reboot never happened, as the PC went to blackscreen. I now have no bios access and an unable to boot from USB to attempt recovery. Firmware rollback is not working. I've ordered an Nvme to USB adaptor and will attempt to reimage the drive externally to see if that resolves things. Otherwise, I'm bricked. I'll post the error images I captured just prior to reboot later.

It is very strange. SWH on default settings does not block the processes with high privileges and does not block EXE files at all. The symptoms you have noted are probably related to the incompatibility of the firmware driver with one of the Windows policies or SRP.
The incompatibility problem can be solved by rebooting the computer 3 times and then the option to use the Restore Point should be available. After restoring, all SWH settings are removed.