New Update Simple Windows Hardening

[Gandalf_The_Grey]

Yes, it will prevent running the Excel 4.0 macros. DocumentsAntiExploit tool applies several restrictions and can be used when Defender is not configured with advanced settings or when another AV is used. The user has to use DocumentsAntiExploit on each account, because configuring the restrictions for one particular user does not have an impact to other user accounts.

In MS Office, the below settings are applied (valid up to MS Office 2019):

• Disabled Macros in MS Office XP and MS Office 2003+ (Word, Excel, PowerPoint, Access, Publisher, Outlook).
• Disabled Access to Visual Basic Object Model (VBOM) in MS Office 2007+ (Access, Excel, PowerPoint, and Word).
• Disabled DDE in Word 2007+ (requires Windows Updates pushed in January 2018, see Microsoft Security Advisory ADV170021).
• Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007+, Excel 2007+, Outlook 2007+, One Note 2013+.
• Disabled ActiveX in MS Office 2007+.
• Disabled OLE in MS Office 2007+ (Word, Excel, PowerPoint).
• Disabled ‘Run Programs’ option for action buttons in PowerPoint 2007+.
• Disabled automatic download of linked images in PowerPoint 2007+.
• Disabled TrustBar notifications in MS Office 2007+.

In Adobe Acrobat Reader XI/DC, the below settings are applied :

• The dangerous features in Adobe Acrobat Reader DC on Windows 8.1/10 can be silently mitigated in AppContainer.
• The dangerous features in Adobe Acrobat Reader XI/DC can be blocked with the ‘Yellow Message Bar’ (the user can allow them).
• The restrictions apply to the current account and overwrite native settings in Adobe Acrobat Reader XI/DC.
• The user can apply different restrictions on different accounts.

@Andy Ful What is the latest version of the Documents Anti-Exploit tool?

 

[Andy Ful]

@Andy Ful What is the latest version of the Documents Anti-Exploit tool?

The latest version is 2.0.0.0 and it is included in H_C_HardeningTools:

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools/H_C_HardeningTools_2002.zip

 

[Tutman]

Might be due to the fact that it's a malware analysis platform and that it also includes malicious samples that can be downloaded. The site itself is safe.

Yep the main url is fine... that was the link to his sample.

 

[Andy Ful]

SWH vs. Hermetic Wiper

HermeticWiper & resurgence of targeted attacks on Ukraine

HermeticWiper & resurgence of targeted attacks on Ukraine

www.zscaler.com

On 23rd Feb 2022, there were reports of a new sophisticated wiper malware hitting several organizations in the Ukraine with an objective of destroying data and causing business disruption. Threatlabz team analyzed the malware payload involved and uncovered several new tactics used in these attacks.

Hermetic Wiper is a sophisticated malware family that is designed to destroy data and render a system inoperable
The wiper is multi-threaded to maximize speed and utilizes a kernel driver for low-level disk access
These driver files appear to be part an outdated version of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development

Attack chain #1

SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.


Attack chain #2

SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.

Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.

 

[wat0114]

@Andy Ful

your pictorial flowcharts illustrating the malware attack chain are among the best I've seen In fact, so many technical malware analysis articles I've read often lack these illustrations.

 

[1chaoticadult]

@Andy Ful

your pictorial flowcharts illustrating the malware attack chain are among the best I've seen In fact, so many technical malware analysis articles I've read often lack these illustrations.

Agreed. They are well made and easy to read.

 

[Digmor Crusher]

They are quite nice and easy for anyone to understand.

 

[Andy Ful]

@Andy Ful

your pictorial flowcharts illustrating the malware attack chain are among the best I've seen In fact, so many technical malware analysis articles I've read often lack these illustrations.

I simply chose the right article with clear flowcharts. The link to the article can be found in my previous post.

 

[silversurfer]

SWH vs. Hermetic Wiper

HermeticWiper & resurgence of targeted attacks on Ukraine

HermeticWiper & resurgence of targeted attacks on Ukraine

www.zscaler.com

Attack chain #1

View attachment 264620

SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.


Attack chain #2

View attachment 264621

SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.

Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.

Just an idea, do you have always ready your VM? you may would like to demonstrate (once only) how SWH prevents attacks by certain malware variants. Of course, if it's possible to see on log entries which processes are blocked due to SRP.

 

[Andy Ful]

Just an idea, do you have always ready your VM? you may would like to demonstrate (once only) how SWH prevents attacks by certain malware variants. Of course, if it's possible to see on log entries which processes are blocked due to SRP.

Making videos in the VM is very frustrating on my machines (too low RAM). The only videos I ever made, were done in the real system. Of course, adding a video would be welcome.
If one would like to test the samples against SWH and make some videos, then I can help with showing what was blocked and which restriction was involved. Of course, most of the infections via initial EXE/MSI samples cannot be stopped by SWH, because these files are intentionally allowed.
In my posts, I chose the clear infection chains from the source articles and also included some examples of malware that could not be stopped by SWH. The main purpose of all examples is to help people to understand how SWH works, which attack vectors can be blocked, and which ones cannot be blocked.

 

[Andy Ful]

SWH vs. Asylum Ambuscade spear-phishing campaign

SunSeed Malware Targets Refugees & EU Government | Proofpoint US

Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.

www.proofpoint.com

Infection chain:

Nothing especially new for SWH. The VB macro (VBA macro) cannot run because SWH in Recommended Settings disables all VBA features in MS Office (in version 2.0.0.0 this is done via the DocumentsAntiExploit tool).

If the user would not use DocumentsAntiExploit hardening and would allow running the macro, then the malware could infect the computer.

How H_C_Hardening tools could prevent this attack?

• ConfigureDefender HIGH - MSI installation will be blocked by the ASR rule "Block Office applications from creating child processes".
• FirewallHardening - Msiexec LOLBin will be prevented to download the MSI payload.
• DocumentsAntiExploit tool - the initial macro will be blocked without notification.

Post Edited.
I tested the macro used in the attack. It uses the COM object WindowsInstaller.Installer which triggers Msiexec LOLBin. So, the Msiexec LOLBin will try to download the MSI payload (and not the Excel application). Msiexec LOLBin connections are blocked by FirewallHardening (Recommended H_C preset).
Here is the event from the FirewallHardening Log after running the macro:

Event[1]:
Local Time: 2022/03/03 11:55:04
ProcessID: 7784
Application: C:\windows\system32\msiexec.exe
Direction: Outbound
SourceAddress: <edited>
SourcePort: <edited>
DestAddress: 23.222.222.111 <--------- blocked (fake) remote adress (payload location)
DestPort: 80
Protocol: 6
FilterRTID: 78503
LayerName: %%14611
LayerRTID: 48
RemoteUserID: <edited>
RemoteMachineID: <edited>

Post updated to reflect the changes in SWH ver. 2.0.0.0 and later.

Edit.
SWH does not block shortcuts in the User Startup folder (H_C can do it).

 

[Andy Ful]

Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.

This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.

 

[Back3]

Just to make sure: is version 1.0.1.1 beta, the latest version?

 

[silversurfer]

Just to make sure: is version 1.0.1.1 beta, the latest version?

AFAIK, Latest version beta 3, check quotes below:

SWH ver. 1.0.1.1 (beta 3)

Installer:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_1011_Beta3.exe

 

[Back3]

I have installed F-Secure Safe and added SWH (beta3) So far no issues.

 

[danb]

Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.

This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.

Sorry Andy, but this description is not true at all. SRP has absolutely zero context... no parent, no command line, nothing.

All SRP does is blindly block by path or globally by extension.

 

[Andy Ful]

Sorry Andy, but this description is not true at all. SRP has absolutely zero context... no parent, no command line, nothing.

Microsoft does not agree with you:
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This article applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. SRP is used on servers to apply it on client machines with Windows 7 and 10.

You are right, that classic SRP ignores the context that could help to differentiate the unknown from malicious. That is how also work: all other SRP, default-deny, reputation file lookup, HIPS, and similar solutions. The world is much greater than the parent/child and command-line features.

All SRP does is blindly block by path or globally by extension.

You seem to see upside down the SRP used in SWH. These SRP settings do not block by path and do not block globally the extensions.

Post edited/shortened.

Edit.
The SRP is an old but very useful security idea. A few years ago it seemed that Microsoft would like to get rid of classic SRP. But, classic SRP is still used in many organzations, because it is simpler to deploy and some of its features were not implemented in Applocker and MDAC. That is why it is still present in Windows 11 and Windows Server 2022.
SWH uses special SRP settings adjusted for fileless methods (especially as an initial vector).
In the examples included in this thread, I used some targeted attacks seen in the wild, if the adopted methods could be reused in the widespread attacks (dangerous also for home users).

 

[Andy Ful]

I would like to add some more comments to the problem of "context".
In their simplest form, both the SRP approach and Parent/Child + CmdLines solutions are kinda dumb when dealing with the "context". So, the Administrators must add some "context" by using their knowledge to create the rules or the cloud backend has to be used to see the different contexts of benign and malicious actions. But, why does Microsoft still like the SRP approach? The answer is pretty much simple. Microsoft uses Local AI, ASR rules, AMSI, and cloud backend to enhance Parent/Child + CmdLines solutions. The SRP + "system hardening via Policies" is an additional & important protection layer, based on a different approach.

In SWH (and H_C) I followed a similar security approach (AV + SRP + basic hardening) and adjusted it to the home environment with a home Administrator.

 

[Andy Ful]

Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:

In this paper, we propose utilizing a static source of contextual information — the path of the PE file — as an auxiliary input to the classifier. While file paths are not malicious or benign in and of themselves, they do provide valuable context for a malicious/benign determination.

https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/

In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:

Windows 11 22H2 feature promises significant protection from malware

Windows 11 Sun Valley 2 (version 22H2) is set to launch in a few months and it’s shaping up to be a fantastic update that brings back removed features, improves the user interface, and adds new features to the operating system. One of the new addition is a new security tool that will prevent...

www.windowslatest.com

Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.

 

[Kongo]

Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:


https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/

In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:

Windows 11 22H2 feature promises significant protection from malware

Windows 11 Sun Valley 2 (version 22H2) is set to launch in a few months and it’s shaping up to be a fantastic update that brings back removed features, improves the user interface, and adds new features to the operating system. One of the new addition is a new security tool that will prevent...

www.windowslatest.com

Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.

Any plans when the stable version of SWH is coming?