New Update Simple Windows Hardening

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
565
@Azriel

there are many, many suggestions here:


...but I would recommend selecting only a handful of them, otherwise you could render your O/S practically unusable.

My favorite are the suggestions above to use Simple Window Hardening or Hard_Configurator.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
657
What I like about SWH: if something is blocked, you can check View Blocked Events and whitelist it. If you just tweak Windows to harden it, if there is an issue, most of the time, you don't know the cause.
Secondly, the developer is active in this forum, and it's very easy to get help....

Capture d’écran 2022-03-22 192859.jpg
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,566
Check that thread...
And read the included help and the manual.
Andy provided a lot of help/documentation.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
What does that mean for Simple Windows Hardening and DocumentsAntiExploit?
Do not use the Abobe Reader settings?
Or are we able to change to those settings in a next version?

I am thinking about adding "Protected View" as a separate setting in DocumentsAntiExploit. I am not sure about SWH. We will see.:unsure:
 
F

ForgottenSeer 77194

I am thinking of using Voodooshield Free (Autopilot). How does it compare against SWH. Is SWH SRP easily bypassable? Should I use both?
 
  • Like
Reactions: Nevi and show-Zi

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
I am thinking of using Voodooshield Free (Autopilot). How does it compare against SWH. Is SWH SRP easily bypassable? Should I use both?
No one will bother to bypass any of them. Simply try and choose which one better suits your needs. You can also use both of them (like some MT members), but in my opinion, such a setup is too complex.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Post updated.

SWH + RunBySmartscreen vs. phishing attack to plant Vidar infostealer

It is not a good example for showing how SWH works because this attack is not fileless, so it is beyond the protective boundaries of SWH. Anyway, it is a good example of showing the usefulness of the RunBySmartscreen tool.

The infection chain (delivery stage in blue):
email ----> ISO attachment (spoofed as .doc document) ---> two payloads dropped (CHM and EXE) ---> EXE payload directly executed by the user or by opening the CHM file

Such attacks can be in theory prevented via SWH by adding ISO extension to the "Protected SRP Extensions" when files are opened by 3rd party application (not by Windows built-in handler). Anyway, most users will not do it because it would be inconvenient. But, they can use the RunBySmartscreen tool instead.

After opening the attachment in the email client we can see in the Explorer two files. We do not know if they are benign or malicious, so we do not open them directly but use the right-click Explorer context menu option "Run By SmartScreen". For the first payload we will see the alert (file blocked):

1648157085798.png


So, we can see that it is the CHM file and it is not commonly used in email correspondence - commonly used files are ignored by RunBySmartscreen.

For the second payload we will see the SmartScreen block:

1648157312664.png


RunBySmartscreen tool does not show alerts for the common files (movies, photos, music, etc.) and will execute safe EXE/MSI files if they will pass the SmartScreen. RunBySmartscreen will block opening/execution of files similarly to Paranoid extensions in SWH.

For PDF documents and MS Office documents with macros the alerts are also shown:

Word document with macro (DOCM) will be blocked:

1648158628668.png


Word document without macros will be opened after the alert:

1648158391224.png


PDF document will be opened after the alert:

1648161653641.png



*******************************************************************************

So what can happen after opening the payloads in the standard way?

The CHM payload will be blocked by SWH, anyway. The EXE payload will be executed without a SmartScreen alert. But wait, these payloads were downloaded from the Internet, so why there is no SmartScreen alert?
The ISO was downloaded from the Internet so it has got the MOTW. Unfortunately, files embedded in the ISO images (and other images too) do not have MOTW attached, so Windows (and Microsoft Defender too) cannot recognize them as downloaded from the Internet.

Edit.
RunBySmartscreen can be found here:
We have also a dedicated thread on MT:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
I have read with a few instances here recommending SWH + Avast works the best.

Is it because Avast's Behavior Shield with its AI and CyberCapture are weak against fileless and zero-day malware?

Thanks

Almost all AVs have problems with protecting against fileless malware. So, SWH can be useful with most AVs. Avast is a better choice than most AVs if you set it to use Hardened Mode. SWH does not restrict EXE files but Avast Hardened Mode does. The same would be true for any AV that uses a strong reputation file lookup for EXE files (Defender MAX, Norton, Comodo, etc.).

CyberCapture is strong protection, but only for EXE files with MOTW. So, it cannot protect against fileless methods.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
Almost all AVs have problems with protecting against fileless malware. So, SWH can be useful with most AVs. Avast is a better choice than most AVs if you set it to use Hardened Mode. SWH does not restrict EXE files but Avast Hardened Mode does. The same would be true for any AV that uses a strong reputation file lookup for EXE files (Defender MAX, Norton, Comodo, etc.).

CyberCapture is strong protection, but only for EXE files with MOTW. So, it cannot protect against fileless methods.
From what I know

Avast's Behavior Shield with its AI is for fileless malware, and

CyberCapture is for zero-day malware

 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
SWH vs. Emotet campaign


Infection chain:
Malspam (ZIP attachment or URL) ---> LNK dropped (with hidden VBScript code) ---> .vbs script created/executed ---> script downloads DLL (Emotet) and run it via Regsvr32 LOLBin

The blue part of the attack is not malicious (but very suspicious) and is used to deliver the final malware (Emotet).
SWH will block this attack on the delivery stage by blocking shortcuts (LNK files) in the UserSpace. Even if the user whitelisted this shortcut, the .vbs script would be blocked in UserSpace.

The attack would be also blocked on the delivery stage by the FirewallHardening tool, because the outbound Internet connections for wscript.exe (VBScript Interpreter) are disabled.

The attack is interesting, because when the user clicks the shortcut (LNK file) dropped to the disk, then the CmdLine embedded in the shortcut performs some unusual actions:
  1. It reads the VBScript code embedded somewhere in the shortcut body;
  2. It writes this code to the .vbs script;
  3. It executes this script.
These actions are suspicious because the shortcut is usually used to run the executable located somewhere on the disk and not to read something embedded in the shortcut to create & execute the scripting code.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Post updated.

SWH vs. IcedID & Quantum ransomware

https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware
https://malwaretips.com/threads/quantum-ransomware.113416/
https://thedfirreport.com/2022/04/25/quantum-ransomware/

Infection chain (delivery stage in blue):
Email with ISO attachment ---> LNK + DLL dropped ---> CmdLine in LNK --> DLL executed (IcedID) via LOLBin (RunDLL32) ---> Cobalt Strike ---> Quantum ransomware

This is a common infection chain against Enterprises, but the delivery method can be used also in widespread attacks. We can see that the ransomware is applied as a final payload and two other malware (IcedID and Cobalt Strike) were applied before. In the wild, the ransomware was executed 4 hours later.
The shortcuts are often used to execute DLLs and scripts via LOLBins.

SWH can block this attack on default settings at the delivery stage by blocking shortcuts in UserSpace. If one does not use disk images to install software, then the ISO file type can be blocked in SWH (Settings >> Protected SRP Extensions) to prevent the malware at the beginning of the infection chain.

Edit.
Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP.
But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
... I set my own paths in the IDE to correspond to the folder allow exception in Defender.
It is not possible with AutoIt. Anyway, it is not a big issue. I simply disconnect WiFi for a while. I do not like to make exclusions, especially for Autoit.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
AutoIT does not give you the option to change its compiling folder? Really?
The problem is not with compiling folder (the folder where the final EXE will be created) but with temporary files. The location of the compiling folder can be configured but not the locations of temporary files.
 
Last edited:
F

ForgottenSeer 94654

The problem is not with compiling folder (the folder where the final EXE will be created) but with temporary files. The location of the compiling folder can be configured but not the locations of temporary files.
Yeah, that is a poor design.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top