New Update Simple Windows Hardening

[Andy Ful]

SWH vs. Magniber JavaScript variant
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

Figure 2 – Magniber infection chain​

Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that home users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

Like in the previous Magniber campaign (CPL file), this one is easily blocked by SWH. But, the rest will depend on the user, because Magniber is often promoted as the system (software) update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content.

 

[czesetfan]

I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it.

Hi. Has there been any progress on this?

 

[Andy Ful]

Hi. Has there been any progress on this?

I am still not sure if the progress is necessary, here. The developer tools can be used by attackers, just like some other LOLBins.

 

[SeriousHoax]

Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

 

[Andy Ful]

Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

To be precise, currently, the SRP settings in H_C (and SWH) will work on Windows 11 22H2 when:

• Windows is upgraded from Windows 10.
• Windows is updated from Windows 11 21H2 (or the prior version).

For now, SRP does not work when

• Windows 22H2 has been installed (clean install).
• Windows 22H2 has been refreshed.

All other settings in H_C (SWH) which are not related to SRP will work as usual.
There is no info from Microsoft if the SRP issue is a bug or not.
I noticed a close relationship between this issue and the installation of Smart App Control. When SRP works on Windows 11 22H2, the SAC is not installed.

Edit.
I updated the info in the OP.

 

[Andy Ful]

SWH vs. Batloader
https://www.microsoft.com/en-us/sec...to-deliver-royal-ransomware-various-payloads/
https://malwaretips.com/threads/dangerous-batloader-malware-dropper.118627/post-1011278
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

SWH can block such attacks in default settings via PowerShell restrictions (blocked script execution) or SRP restrictions for BAT scripts (level 2 in Figure 4).
The Batloader can execute PowerShell malware embedded in the MSI file, but it does not execute the PowerShell code in memory via CmdLine. The malware uses the MSI PowerShellScriptInline custom action, so the malicious PowerShell script code is dropped to disk as PS1 script and executed during software installation.

 

[Andy Ful]

SWH ver. 2.1.1.1 beta.

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111_beta1.zip

No need to remove the older SWH settings.

What is new:

1. Added support for Windows 11 ver. 22H2
2. Added the ONE extension (OneNote document) to the Paranoid extensions set.
3. Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings include all ON1 settings.
   ON2 settings (if already applied) require resetting (ON2 --> OFF --> ON2) after the current update.

 

[Back3]

Made an image with Macrium. Trying the beta with F-Secure Safe and Firewall Hardening on Windows 11 version 22H2. So far, so good!

 

[Back3]

Everything still runs OK. Had to whitelist a shortcut from OneDrive. That’s all.

 

[Andy Ful]

SWH vs. Horabot
https://blog.talosintelligence.com/new-horabot-targets-americas/
https://malwaretips.com/threads/new-horabot-campaign-targets-the-americas.123594/

I like the examples posted by @silversurfer.
They usually present a complex infection chain that can evade the protection of AVs. The Horabot campaign was started in November 2020 and has been ongoing through the year 2023. So, one can say that it was successful.

In purpose to evade AV protection, the attackers adopted the initial fileless attack vector. But, SWH settings are adjusted to prevent such attacks. In this concrete example, the attack will fail just after unpacking the initial script (CMD). But, in many cases, SWH is not required. Many attacks can be prevented by simple hardening, for example:

• blocking batch scripts (BAT, CMD),
• blocking the outbound connections of popular LOLBins (powershell.exe, wscript.exe, cscript.exe, mshta.exe ...) or simply blocking the execution of popular LOLBins.

 

[Andy Ful]

SWH ver. 2.1.1.1 beta 4.

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111_beta4.zip

No new features, just one GUI improvement to make SWH more idiot-proof.
This will most probably be the stable version when I sign it with a new certificate (at the end of June).

Edit.
Currently, I work on the new version which will be finished after a few months. It will include some new options:

1. Block User Folders via SRP (Desktop, Downloads).
2. Block non-system drives via WDAC.
3. Set SmartScreen to Block.

These new features will be integrated with RunBySmartscreen.

 

[Andy Ful]

SWH ver. 2.1.1.1 - support for Windows 11 ver. 22H2

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip

It is essentially the last beta with added new digital certificate. The work on the new features is still in progress.

 

[Gandalf_The_Grey]

Thanks @Andy Ful for keeping developing and updating your tools, much appreciated
New version running great and without any issues here.

Can you add NanaZip to the supported archiver applications?

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

The 7-Zip derivative intended for the modern Windows experience - M2Team/NanaZip

github.com

Is the new Outlook beta (olk.exe) a supported email client?

 

[Andy Ful]

Thanks @Andy Ful for keeping developing and updating your tools, much appreciated

Can you add NanaZip to the supported archiver applications?

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

The 7-Zip derivative intended for the modern Windows experience - M2Team/NanaZip

github.com

Is the new Outlook beta (olk.exe) a supported email client?

It is not necessary.
NanaZip uses the same temporary folder as 7-ZIP so it is automatically supported in SWH.
Outlook (olk.exe) does not allow opening EXE/MSI attachments, so the protection is applied even without enabling SWH option *Attachments and Archives*.

 

[Xeno1234]

Does this tool on default settings enable "Device Guard" on windows?

 

[Andy Ful]

Does this tool on default settings enable "Device Guard" on windows?

No. You can try WHHLight:

New Update - Testing Windows Hybrid Hardening (new hardening application).

Windows Hybrid Hardening. (updated in October 2023) https://github.com/AndyFul/Hard_Configurator/blob/master/WindowsHybridHardening/WHHLight_Package_1004.exe The link to the WHHLight website: https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening...

malwaretips.com

 

[czesetfan]

Which successful attacks could have been prevented by deploying WSH ?
Advanced Threat Protection Test 2023 - Consumer

 

[Andy Ful]

Which successful attacks could have been prevented by deploying WSH ?
Advanced Threat Protection Test 2023 - Consumer

The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file. Additional information:

We use system programs designed to evade signature-based detection, while also exploiting the versatility of popular scripting languages such as JavaScript, batch files, PowerShell and Visual Basic scripts.

In the consumer test, an admin account is targeted, although every POC is executed using only a standard-user account, with medium integrity.

1. Flash drive ---> ZIP ---> ISO ---> EXE
   Not blocked in default settings, except when the user opens files from flash drives via "Run By SmartScreen" (as recommended in the SWH documentation).
   Such attacks can be also prevented by adding the ISO extension to SRP or using the "Paranoid extensions" option in SWH. But this can only work if ISO files are opened by a dedicated application like PowerISO, 7-ZIP, etc.
   To prevent other popular variants, one has to also add such extensions as IMG, VHD, and VHDX (included in "Paranoid extensions").
2. Flash drive ---> JS
   Blocked by default.
3. Flash drive ---> CPL
   Blocked by default.
4. JS dropped and executed
   Blocked by default.
5. HTML smuggling or Email attachment ---> EXE
   If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
   If the file is dropped via email client, it will be blocked by SWH.
6. HTML smuggling or Email attachment ---> JS
   Blocked by default.
7. HTML smuggling or Email attachment ---> EXE
   If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
   If the file is dropped via email client, it will be blocked by SWH.
8. Spearphishing Link ---> MSI
   Blocked by SmartScreen for Explorer.
9. Spearphishing Link ---> EXE
   Blocked by SmartScreen for Explorer.
10. Spearphishing Link ---> Office document ---> patching AMSI (VBA code) ---> malicious macro or script
    If MS Office is patched (no 0-day exploit), the attack can be blocked by DocumentsAntiExploit (tool included in SWH to protect MS Office).
11. HTML smuggling or Email attachment ---> PIF
    Blocked by default.
12. HTML smuggling or Email attachment ---> EXE
    If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
    If the file is dropped via email client, it will be blocked by SWH.
13. PS1 dropped and executed
    Blocked by default.
14. HTA dropped and executed by the user
    Blocked by default.
15. HTML smuggling or Email attachment ---> JS
    Blocked by default.

In rare cases, the attacks assumed to be blocked by SmartScreen can succeed in the wild. For example when the EXE or MSI 0-day malware is digitally signed with an EV certificate.

 

[Andy Ful]

There are some DLL hijacking techniques that could bypass SmartScreen, but they were skipped in the test. Generally, I recommend using "Run By SmartScreen" to execute unknown EXE files. "Run By SmartScreen" can prevent bypassing SmartScreen via DLL hijacking.

 

[ForgottenSeer 103564]

The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file.

Run by smart screen to achieve elevated status.

Basically, don't click these without verification of file, back to the basics. I'm trying to understand the point of such a test other then to see if the security will stop it after the user says "sure go ahead".

@Andy Ful don't laugh to hard, couldn't resist.