Q&A Simple Windows Hardening

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
There can be many advantages of strong firewall restrictions, especially in business networks.
Some of these advantages are still welcome at home. Of course, one can use complex firewall hardening alongside SWH, and even with policies made by the FirewallHardening tool.
Svchost is only one of many Windows executables that can be abused for outbound connections. Furthermore, it is not the most popular way because abusing Svchost requires high privileges. It is often used to hide malicious actions and get persistence on the heavily compromised system.

Edit.
For most users, hardening methods like restricting Svchost by the firewall are too complex and inconvenient in daily work.
I think that at home, the monitoring/blocking (auto) Run keys in the Windows Registry would be much easier to fight CryptoMiners.(y)
 
Last edited:

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,427
There can be many advantages of strong firewall restrictions, especially in business networks.
Some of these advantages are still welcome at home. Of course, one can use complex firewall hardening alongside SWH, and even with policies made by the FirewallHardening tool.
Svchost is only one of many Windows executables that can be abused for outbound connections. Furthermore, it is not the most popular way because abusing Svchost requires high privileges. It is often used to hide malicious actions and get persistence on the heavily compromised system.

Edit.
For most users, hardening methods like restricting Svchost by the firewall are too complex and inconvenient in daily work.
I think that at home, the monitoring/blocking (auto) Run keys in the Windows Registry would be much easier to fight CryptoMiners.(y)
Oh trust me, svhost is not blocked alone, and certainly not only outbound connections (but also inbound), as for having the regedit secured, it already is (cause the WF is extremely easy to bypass without specific restrictions).

You don't need admin rights to add firewall rules by default, this problem with Windows and all it's APIs that make it easy to bypass UAC and prompts.

I also agree this kind of setup is too complex for average users, I use it for myself and not on others machines, I not running any AV, all I need is the firewall.

There no simple way to allow only Microsoft IPs cause of their CDNs.
 

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).
....
The problem is not that Windows can or cannot tell the difference. The event Id=5152 (or 5157) is used to log both inbound and outbound connections. On Windows 10, the inbound connections can be blocked via Windows settings many times per one minute, so it is very inconvenient to find the outbound events in the Windows Event Log. One has to use the external filtering program (PowerShell or 3rd party tool).
 

Local Host

Level 25
Verified
Top poster
Well-known
Sep 26, 2017
1,427
The problem is not that Windows can or cannot tell the difference. The event Id=5152 (or 5157) is used to log both inbound and outbound connections. On Windows 10, the inbound connections can be blocked via Windows settings many times per one minute, so it is very inconvenient to find the outbound events in the Windows Event Log. One has to use the external filtering program (PowerShell or 3rd party tool).
The problem is you trying to check Windows Firewall logs on Event Viewer, instead of checking the actual Windows Firewall logs (which is disabled by default).

Opening the actual Windows Firewall logs in Excel you can filter it however you want, without the need for third-party Software (you honestly don't need Excel, but makes it easier).

Is honestly more work than it's worth either way, average users should rely on WFC.
 

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
The problem is you trying to check Windows Firewall logs on Event Viewer, instead of checking the actual Windows Firewall logs (which is disabled by default).

Opening the actual Windows Firewall logs in Excel you can filter it however you want, without the need for third-party Software (you honestly don't need Excel, but makes it easier).

Is honestly more work than it's worth either way, average users should rely on WFC.
Yes. The advanced user can use any software that can get/filter events from the Windows Logs. There are PowerShell scripts that can do this, available for everyone. I prefer to use the WevtUtil tool (Windows system tool) to get the events and a simple piece of my code to filter/format/write the interesting events into the TXT file. I did not find the more convenient and faster way to do it (including Excel, etc.).

For example, on my computer (Windows 10), there are about 65000 events in the Security log (MAX size doubled as compared to the default value). About 60000 are related to the blocked inbound connections of Svchost (Id=5152) and about 100 to all blocked outbound connections (Id=5152). Most of the blocked outbound connections are related to the FirewallHardening tool ()All LOLBins blocked). Usually, the Compattelrunner, Explorer, and RunDll32 are blocked (telemetry connections). Slightly fewer inbound events are logged via Id=5157.
On Windows 7, the number of blocked inbound events is many times smaller.
 
Last edited:

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
If it were only that simple. There is no reboot, and I am unable to enter BIOS settings. I will attempt a CMOS reset (remove / replace CMOS battery) tomorrow. A "disheartening experience" is an understatement.
If so, then the issue is probably not related to SWH.
 

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
If it were only that simple. There is no reboot, and I am unable to enter BIOS settings. I will attempt a CMOS reset (remove / replace CMOS battery) tomorrow. A "disheartening experience" is an understatement.
I had a similar issue many years ago on Windows 7 and I saw it once on the XP computer of my friend. Before taking the extreme solutions it is recommended to try this (after computer cold shutdown):
"One of the things I would suggest you to remove any external devices attached to the computer apart from keyboard and mouse and check if that helps."

In my case that was an error related to the printer. Everything worked well again after disconnecting the printer. In another case, the issue was related to the USB port.
Generally, such behavior is related to drivers' errors that can happen randomly and it is usually hard to find the cause of the instability.
The computer cold shutdown is recommended because many machines use fast startup (do not shut down but hibernate).
 
Last edited:

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
SimpleWindowsHardening vs. APT attacks.

Thank @Correlate I recalled an article about possible weaknesses of Endpoint Detection Response software (Some time ago I made a thread about it on MT):
https://malwaretips.com/threads/end...s-against-advanced-persistent-threats.109745/
https://malwaretips.com/threads/end...ackers-have-evolved-part-1.106619/post-970740

The full research article can be found here:

Attack Vectors
  • A .cpl file: A DLL file which can be executed by double-clicking under the context of the rundll32 LOLBINS which can execute code maliciously under its context. The file has been crafted using CPLResourceRunner9 . To this end, we use a shellcode storage technique using Memory-mapped files (MMF) [17] and then trigger it using delegates, ...
  • A legitimate Microsoft (MS) Teams installation that will load a malicious DLL. In this regard, DLL side-loading10 will lead to a self-injection, thus, allowing us to ”live” under a signed binary...
  • An unsigned PE executable file; from now on referred to as EXE, that will execute process injection using the “Early Bird” technique of AQUARMOURY into werfault.exe. For this, we spoofed the parent of explorer.exe using the PROC THREAD ATTRIBUTE MITIGATION POLICY flag to protect our malware from an unsigned by Microsoft DLL event that is commonly used by EDRs for processes monitoring.
  • An HTA file. Once the user visits a harmless HTML page containing an IFrame, he will be redirected and prompted to run an HTML file infused with executable VBS code that will load the .NET code provided in Listing 2 perform self-injection under the context of mshta.exe.
I skipped the attack vector related to DLL side-loading because it was related to the lateral movement (common in Enterprises). The attacker had to drop the malicious DLL that was a modified system DLL (the original DLL is normally located in the "c:\Windows\system32" folder) to the application folder of Microsoft Teams (already installed in the system).

When looking at the Defender results it can be seen that SWH + Microsoft Defender for Endpoints (Defender with advanced settings) could prevent all attack vectors (except lateral movement).

It is interesting that many products missed the fileless attacks via CPL or HTA files (blocked by SWH):
Carbon Black, Comodo, CrowdStrike, Elastic, F-Secure, Microsoft, Panda, Sentinel, Symantec, TrendMicro.
 
Last edited:

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
SWH vs. malware

Thank @Gandalf_The_Grey I examined the new Zloader Campaign:
https://malwaretips.com/threads/microsoft-code-sign-check-bypassed-to-drop-zloader-malware.111797/
https://research.checkpoint.com/202...signature-verification-putting-users-at-risk/

The infection chain will be stopped by SWH on level 3 (BAT file blocked):

1641399603004.png


This attack uses the MSI installer with a valid EV certificate, so this installer can bypass Windows SmartScreen and most AVs (this installer does not contain malicious code). Of course, the attack can be detected when "true" malicious code will be downloaded and executed (level 6). Such malware is used in the targeted attacks:

It is unclear how the threat actors tricked the victims into downloading the malicious file, but it could be through cracks found on pirated software resources or spear-phishing emails.
https://www.bleepingcomputer.com/ne...-sign-check-bypassed-to-drop-zloader-malware/

It seems that this campaign was quite successful:

1641401308501.png
 

South Park

Level 8
Verified
Jun 23, 2018
392
Is there any script we can use to test the blocking of Simple/Hard Configuration to test of blocking scripts,powershell, bat files etc?
I use this test script from Guy Thomas. You can change the extension from .txt to .vbs and try to run it, then try whitelisting it e.g. by path. When it runs, it displays some information about your system.
 

Attachments

  • test.vbs.txt
    1 KB · Views: 29

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
Is there any script we can use to test the blocking of Simple/Hard Configuration to test of blocking scripts,powershell, bat files etc?
You can use any script you want.
You can even create an empty text file and change its extension from .txt to .vbs, .js. .bat, .ps1, etc.
 
Last edited:

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
SWH vs. Log4Shell attacks

Log4Shell is an exploit for CVE-2021-44228 (a critical vulnerability in Apache Log4j disclosed in December).

The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.


The example of the fileless infection chain used recently in the wild:

1642002696437.png



SWH will break the infection chain due to PowerShell restrictions.
 

Andy Ful

Level 78
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
SWH vs. GootLoader.

Operators of the GootLoader campaign are setting their sights on employees of accounting and law firms as part of a fresh onslaught of widespread cyberattacks to deploy malware on infected systems, an indication that the adversary is expanding its focus to other high-value targets.

https://malwaretips.com/threads/goo...employees-of-law-and-accounting-firms.111933/
https://thehackernews.com/2022/01/gootloader-hackers-targeting-employees.html

Malware analysis (from previous campaign):
https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
"GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to fashioning the payload," said Keegan Keplinger, research and reporting lead for eSentire's Threat Response Unit (TRU).

"GootLoader's operators invite employees to seek, download, and execute their malware under the guise of a free business agreement template. This is particularly effective against legal firms, who may encounter uncommon requests from clients."

1642089507213.png



This attack vector can be used also against home users via widespread spam campaigns. The user gets an email with a direct link to something interesting. In fact, it is a direct link to the malicious script.
SWH can block such malware via scripting restrictions.
 
Last edited: