Gandalf_The_Grey
Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
@Andy Ful What is the latest version of the Documents Anti-Exploit tool?
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
The latest version is 2.0.0.0 and it is included in H_C_HardeningTools:
Yep the main url is fine... that was the link to his sample.Might be due to the fact that it's a malware analysis platform and that it also includes malicious samples that can be downloaded. The site itself is safe.
SWH vs. Hermetic Wiper
www.zscaler.com
Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.
HermeticWiper & resurgence of targeted attacks on Ukraine | Zscaler
HermeticWiper & resurgence of targeted attacks on Ukraine
Attack chain #1
SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.
Attack chain #2
SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.
Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.
Last edited by a moderator:
@Andy Ful
your pictorial flowcharts illustrating the malware attack chain are among the best I've seen In fact, so many technical malware analysis articles I've read often lack these illustrations.
your pictorial flowcharts illustrating the malware attack chain are among the best I've seen
In fact, so many technical malware analysis articles I've read often lack these illustrations.
Agreed. They are well made and easy to read.@Andy Ful
your pictorial flowcharts illustrating the malware attack chain are among the best I've seen
They are quite nice and easy for anyone to understand.
@Andy Ful
your pictorial flowcharts illustrating the malware attack chain are among the best I've seen
I simply chose the right article with clear flowcharts. The link to the article can be found in my previous post.
- Aug 17, 2014
- 12,310
- 121,636
- 8,399
SWH vs. Hermetic Wiper
HermeticWiper & resurgence of targeted attacks on Ukraine | Zscaler
HermeticWiper & resurgence of targeted attacks on Ukraine
Attack chain #1
View attachment 264620
SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.
Attack chain #2
View attachment 264621
SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.
Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.
Just an idea, do you have always ready your VM? you may would like to demonstrate (once only) how SWH prevents attacks by certain malware variants. Of course, if it's possible to see on log entries which processes are blocked due to SRP.
Making videos in the VM is very frustrating on my machines (too low RAM). The only videos I ever made, were done in the real system. Of course, adding a video would be welcome.
If one would like to test the samples against SWH and make some videos, then I can help with showing what was blocked and which restriction was involved. Of course, most of the infections via initial EXE/MSI samples cannot be stopped by SWH, because these files are intentionally allowed.
In my posts, I chose the clear infection chains from the source articles and also included some examples of malware that could not be stopped by SWH. The main purpose of all examples is to help people to understand how SWH works, which attack vectors can be blocked, and which ones cannot be blocked.
Last edited:
SWH vs. Asylum Ambuscade spear-phishing campaign
www.proofpoint.com
Infection chain:
Nothing especially new for SWH. The VB macro (VBA macro) cannot run because SWH in Recommended Settings disables all VBA features in MS Office (in version 2.0.0.0 this is done via the DocumentsAntiExploit tool).
If the user would not use DocumentsAntiExploit hardening and would allow running the macro, then the malware could infect the computer.
How H_C_Hardening tools could prevent this attack?
I tested the macro used in the attack. It uses the COM object WindowsInstaller.Installer which triggers Msiexec LOLBin. So, the Msiexec LOLBin will try to download the MSI payload (and not the Excel application). Msiexec LOLBin connections are blocked by FirewallHardening (Recommended H_C preset).
Here is the event from the FirewallHardening Log after running the macro:
Post updated to reflect the changes in SWH ver. 2.0.0.0 and later.
Edit.
SWH does not block shortcuts in the User Startup folder (H_C can do it).
SunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.
Infection chain:
Nothing especially new for SWH. The VB macro (VBA macro) cannot run because SWH in Recommended Settings disables all VBA features in MS Office (in version 2.0.0.0 this is done via the DocumentsAntiExploit tool).
If the user would not use DocumentsAntiExploit hardening and would allow running the macro, then the malware could infect the computer.
How H_C_Hardening tools could prevent this attack?
- ConfigureDefender HIGH - MSI installation will be blocked by the ASR rule "Block Office applications from creating child processes".
- FirewallHardening - Msiexec LOLBin will be prevented to download the MSI payload.
- DocumentsAntiExploit tool - the initial macro will be blocked without notification.
I tested the macro used in the attack. It uses the COM object WindowsInstaller.Installer which triggers Msiexec LOLBin. So, the Msiexec LOLBin will try to download the MSI payload (and not the Excel application). Msiexec LOLBin connections are blocked by FirewallHardening (Recommended H_C preset).
Here is the event from the FirewallHardening Log after running the macro:
Post updated to reflect the changes in SWH ver. 2.0.0.0 and later.
Edit.
SWH does not block shortcuts in the User Startup folder (H_C can do it).
Last edited:
Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.
This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.
This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.
Just to make sure: is version 1.0.1.1 beta, the latest version?
- Aug 17, 2014
- 12,310
- 121,636
- 8,399
I have installed F-Secure Safe and added SWH (beta3) So far no issues.
Sorry Andy, but this description is not true at all. SRP has absolutely zero context... no parent, no command line, nothing.Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.
This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.
All SRP does is blindly block by path or globally by extension.
Microsoft does not agree with you:
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This article applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. SRP is used on servers to apply it on client machines with Windows 7 and 10.
You are right, that classic SRP ignores the context that could help to differentiate the unknown from malicious. That is how also work: all other SRP, default-deny, reputation file lookup, HIPS, and similar solutions. The world is much greater than the parent/child and command-line features.
You seem to see upside down the SRP used in SWH. These SRP settings do not block by path and do not block globally the extensions.
Post edited/shortened.
Edit.
The SRP is an old but very useful security idea. A few years ago it seemed that Microsoft would like to get rid of classic SRP. But, classic SRP is still used in many organzations, because it is simpler to deploy and some of its features were not implemented in Applocker and MDAC. That is why it is still present in Windows 11 and Windows Server 2022.
SWH uses special SRP settings adjusted for fileless methods (especially as an initial vector).
In the examples included in this thread, I used some targeted attacks seen in the wild, if the adopted methods could be reused in the widespread attacks (dangerous also for home users).
Last edited:
I would like to add some more comments to the problem of "context".
In their simplest form, both the SRP approach and Parent/Child + CmdLines solutions are kinda dumb when dealing with the "context". So, the Administrators must add some "context" by using their knowledge to create the rules or the cloud backend has to be used to see the different contexts of benign and malicious actions. But, why does Microsoft still like the SRP approach? The answer is pretty much simple. Microsoft uses Local AI, ASR rules, AMSI, and cloud backend to enhance Parent/Child + CmdLines solutions. The SRP + "system hardening via Policies" is an additional & important protection layer, based on a different approach.
In SWH (and H_C) I followed a similar security approach (AV + SRP + basic hardening) and adjusted it to the home environment with a home Administrator.
In their simplest form, both the SRP approach and Parent/Child + CmdLines solutions are kinda dumb when dealing with the "context". So, the Administrators must add some "context" by using their knowledge to create the rules or the cloud backend has to be used to see the different contexts of benign and malicious actions. But, why does Microsoft still like the SRP approach? The answer is pretty much simple. Microsoft uses Local AI, ASR rules, AMSI, and cloud backend to enhance Parent/Child + CmdLines solutions. The SRP + "system hardening via Policies" is an additional & important protection layer, based on a different approach.
In SWH (and H_C) I followed a similar security approach (AV + SRP + basic hardening) and adjusted it to the home environment with a home Administrator.
Last edited:
Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:
In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:
Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.
https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/
In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:
Windows 11 22H2 feature promises significant protection from malware
Windows 11 Sun Valley 2 (version 22H2) is set to launch in a few months and it’s shaping up to be a fantastic update that brings back removed features, improves the user interface, and adds new features to the operating system. One of the new addition is a new security tool that will prevent...
www.windowslatest.com
Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.
Last edited:
Any plans when the stable version of SWH is coming?Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:
https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/
In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:
Windows 11 22H2 feature promises significant protection from malware
Windows 11 Sun Valley 2 (version 22H2) is set to launch in a few months and it’s shaping up to be a fantastic update that brings back removed features, improves the user interface, and adds new features to the operating system. One of the new addition is a new security tool that will prevent...www.windowslatest.com
Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.
You may also like...
-
Simple Steps to Secure Your Windows 11 PC- Started by Divergent
- Replies: 0
-
WHHLight - simplified application control for Windows Home and Pro.- Started by Andy Ful
- Replies: 663
-
Testing Windows Hybrid Hardening (new hardening application).
- Started by Andy Ful
- Replies: 253
-
Microsoft Belatedly Delivers Windows 11 24H2 Preview Update for April- Started by Gandalf_The_Grey
- Replies: 3
-
