Q&A Simple Windows Hardening

Digmor Crusher

Level 14
Verified
Top poster
Well-known
Jan 27, 2018
695
With new version I cannot open an Excel file in Libre Office. If settings have to be tweaked to allow this then doesn't that mean this program goes from an easy solution ( just use default settings) to a program that is a bit more complicated because you need to tweak it?
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
Quick question on this point ~

Is the standalone version of ConfigureDefender still v3.0.1.0 as version 3.0.1.1 is included in Hardening Tools. Similarly standalone RunBySmartscreen is at v4.0.0.1 but Hardening Tools includes v4.0.1.0.

Thanks.
Today, I am going to update the installers on the ConfigureDefender and RunBySmartscreen websites.
ConfigureDefender ver. 3.0.1.1 is the same as ver. 3.0.1.0 except support for Windows Server.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool. :unsure:
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,050
It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool. :unsure:
And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.
 
Last edited:

JasonUK

Level 5
Apr 14, 2020
201
Same issue as others ~ excel files blocked ~ not a huge issue as I tend to save all my personal files to a specific directory which I could whitelist by path. Blocking by default isn't a terrible idea though as it encourages you to at least virus check any shared / received office document before opening it and placing it in a whitelisted location.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.
Yes, that is my plan. The SWH version 2.0.0.0 will be published this week so I have removed the ver. 1.1.1.1 from GitHub.(y)
 

South Park

Level 9
Verified
Jun 23, 2018
402
The XLSX documents cannot contain macros but have got other dangerous features (like DDE, etc.). If you use Defender with ASR rules then the XLSX extension can be safely removed via <Settings><Protected SRP Extensions>.
If you use the DocumentsAntiExploit tool, then the XLSX extension can be safely removed when using any AV.


The problem can arise if one uses custom settings to harden MS Office manually. Home users are focused on Word hardening and often forget to properly harden Excel. It is not easy to make Excel hardening because it has got many dangerous features.
The Excel files are rarely used at home and commonly used in attacks, so they are blocked in SWH ver. 1.1.1.1 by default. I am not sure if this is an optimal solution. What do you think guys?
A few mutual funds still use XLSX files to list their holdings, so I had to unblock that extension so I could open them with GNUmeric.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
SWH vs. CHM attack vector
https://malwaretips.com/threads/ukr...-targeted-with-powershell-rat-malware.113839/

Compromising the security layers via ".chm" files is a well known and still very efficient method. I saw several such attacks in the past, for example:
Cryptowall: Cryptowall Makes a Comeback Via Malicious Help Files (CHM)
Silence banking trojan: Silence – a new Trojan attacking financial organizations
LovxCrypt Ransomware: Threat Spotlight: LovxCrypt Ransomware
RURansom Wiper: https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/
APT41 espionage: https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

The common infection chain:
Email attachment -----> user downloads an attachment -----> user opens the .chm file -----> payload is dropped/downloaded and executed

SWH blocks opening .chm files by default via SRP restrictions.
The .chm file is opened by the hh.exe LOLBin (HTML Help), which is also a JavaScript interpreter. So, the attacker can embed the JavaScript malicious code into the .chm file.
In the past, the .chm files were often used to download and execute PE payloads, but they can be easily used also in fileless attacks like in the example of recent attacks on German users.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,050
For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:
  1. Disable JavaScript.
  2. Disable opening of non-PDF file attachments with external applications.
  3. Block PDF files to all web sites.
  4. Enable Defender's ASR rule for Adobe.
Even if the user will enable JavaScript for the document, it will run in AppContainer. Acrobat Reader cannot use opening non-PDF attachments in external applications or URLs embedded in the documents, and cannot run other applications/LOLBins.

When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.

The Protected View, especially without the Defender ASR rule, is not good for casual users.
Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:

1653070945308.png

If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:

View attachment 266784

If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).
:) (y)
 

czesetfan

Level 1
Dec 3, 2021
48
Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?
How did you understand the info in the help file for <MS Office> option?

1653118652159.png


Edit.
This help requires a correction - these restrictions works also on MS Office 2019. They probably work on MS Office 2021 too, but I did not test this version yet. Tested today, and all work well on MS Office 20121, too. :)
 
Last edited:

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
SWH vs. SocGholish

According to the Red Canary’s 2022 Threat Detection Report, this threat is among the most prevalent threats:

1653237375621.png

The cases of SWH vs. Qbot (Quakbot) and Gootkit (Gootloader) can be found here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-971785
The difference between GootLoader and Gootkit (not important in this post):
https://redcanary.com/blog/gootloader/

I will try to post about other prevalent threats like TA551 in my next post.

SocGholish and Gootkit used a similar infection chain:
https://redcanary.com/threat-detection-report/threats/socgholish/
https://redcanary.com/threat-detection-report/threats/gootkit/
1653237539311.png

SocGholish operators host a malicious website that implements a drive-by-download mechanism. Previous research shows that the SocGholish operators use a legitimate website and host another, malicious website in its context, for example, in an inline frame (iframe) object. The legitimate website displays content to which end-users may be lured, such as critical browser updates. The malicious website may implement, for example, JavaScript code, or conduct URL redirections to trigger the download of an archive file that stores a malicious JavaScript script.

SWH can block this threat by default via SRP restrictions for scripts.
 
Last edited:

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
SWH vs. TA551 phishing campaigns

1653297663480.png


The report shows that password-protected ZIP attachments with Word documents were used in the attacks. This pretty common type of attack is blocked by default in SWH via disabling VBA in MS Office.

Such attacks can be easily prevented even without SWH, by not allowing macros in MS Office documents. If macros are enabled then the defense is more complicated. But in most cases, the attacks can be mitigated by:
  1. Restricting network connections of MS Word and popular LOLBins (certutil.exe, mshta.exe, etc.). One can use the FirewallHardening tool for that (or apply manually the rules in the firewall).
    But, this attack can be modified to drop the payload embedded/encoded in the document - in such a case, restricting network connection will not help.
  2. Applying parent-child protection to prevent spawning by MS Word some LOLBins (regsvr32.exe, rundll32.exe, etc.) that can execute DLLs. This can be done via the HIPS module in AV or ASR rules (like in Microsoft Defender / ConfigureDefender HIGH settings). But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).
It is worth knowing that this type of attack does not use *.exe payloads. The final payload (Ursnif, Zloader, Valak, IceId, Qbot) was injected into the system process (svchost.exe, msiexec.exe, etc.). Such injections are not easy to detect by Avs.

Edit.
Another example of the recent TA551 attack via ISO file (LNK + DLL) was analyzed here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951
 
Last edited:

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,008
Some of the threats noted in Red Canary’s 2022 Threat Detection Report are penetration tools/frameworks used in the already compromised environment. They are used in highly targeted attacks (mostly in lateral movement), so I skipped them in the SWH thread.

Mimikatz​

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords. As an open source project, Mimikatz continues to be actively developed, with several new features added in 2020.
https://redcanary.com/threat-detection-report/threats/mimikatz/

BloodHound​

BloodHound is an open source tool that provides visibility into Active Directory environments. It is a common precursor to follow-on activity, whether that’s further testing or ransomware. It is a common precursor to follow-on activity, whether that’s further testing or ransomware.
https://redcanary.com/threat-detection-report/threats/bloodhound/

Impacket​

Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries, thanks in large part to its versatility.
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools, including post-exploitation and vulnerability-scanning products, to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI).
https://redcanary.com/threat-detection-report/threats/impacket/

Cobalt Strike​

Cobalt Strike continues to be a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
https://redcanary.com/threat-detection-report/threats/cobalt-strike/

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.
https://www.cobaltstrike.com/

Metasploit​

Penetration testing software to help you act like the attacker

Attackers are always developing new exploits and attack methods—Metasploit penetration testing software helps you use their own weapons against them. Utilizing an ever-growing database of exploits, you can safely simulate real-world attacks on your network to train your security team to spot and stop the real thing.
https://www.rapid7.com/products/metasploit/

The rest of the most prevalent threats: TA551, Qbot (Quakbot), SocGholish, Yellow Cockatoo (SolarMarker), and Gootkit (Gootloader) could be reused in the attacks against home users. The Yellow Cockatoo threat uses EXE/MSI files as an initial infection vector so it is beyond the scope of SWH. The Yellow Cockatoo (SolarMarker) uses EXE/MSI files. The older versions were not fileless, so they were beyond the scope of SWH. The recent versions described in the RedCanary Report use also EXE/MSI files, but the malicious actions are performed by the PowerShell script, so the malware is blocked by SWH (default settings).

Other threats were already analyzed and all of them could be blocked by older versions of SWH (default settings) + Defender / ConfigureDefender HIGH settings. The new versions of SWH (ver. 1.1.1.1 and later) can block these threats by the recommended settings in SWH (even without ConfigureDefender). :)(y)

Post edited.
 
Last edited: