New Update Simple Windows Hardening

Andy Ful · Oct 14, 2022

SWH vs. Magniber JavaScript variant
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

Figure 2 – Magniber infection chain

Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that home users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

Like in the previous Magniber campaign (CPL file), this one is easily blocked by SWH. But, the rest will depend on the user, because Magniber is often promoted as the system (software) update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content.

czesetfan · Oct 15, 2022

Andy Ful said:
I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it.

Hi. Has there been any progress on this?

Andy Ful · Oct 15, 2022

czesetfan said:
Hi. Has there been any progress on this?

I am still not sure if the progress is necessary, here. The developer tools can be used by attackers, just like some other LOLBins.

SeriousHoax · Oct 18, 2022

Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

Andy Ful · Oct 18, 2022

SeriousHoax said:
Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?

To be precise, currently, the SRP settings in H_C (and SWH) will work on Windows 11 22H2 when:

Windows is upgraded from Windows 10.
Windows is updated from Windows 11 21H2 (or the prior version).

For now, SRP does not work when

Windows 22H2 has been installed (clean install).
Windows 22H2 has been refreshed.

All other settings in H_C (SWH) which are not related to SRP will work as usual.
There is no info from Microsoft if the SRP issue is a bug or not.
I noticed a close relationship between this issue and the installation of Smart App Control. When SRP works on Windows 11 22H2, the SAC is not installed.

Edit.
I updated the info in the OP.

Andy Ful · Dec 7, 2022

SWH vs. Batloader
https://www.microsoft.com/en-us/sec...to-deliver-royal-ransomware-various-payloads/
https://malwaretips.com/threads/dangerous-batloader-malware-dropper.118627/post-1011278
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

SWH can block such attacks in default settings via PowerShell restrictions (blocked script execution) or SRP restrictions for BAT scripts (level 2 in Figure 4).
The Batloader can execute PowerShell malware embedded in the MSI file, but it does not execute the PowerShell code in memory via CmdLine. The malware uses the MSI PowerShellScriptInline custom action, so the malicious PowerShell script code is dropped to disk as PS1 script and executed during software installation.

Andy Ful · May 15, 2023

SWH ver. 2.1.1.1 beta.

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111_beta1.zip

No need to remove the older SWH settings.

What is new:

Added support for Windows 11 ver. 22H2
Added the ONE extension (OneNote document) to the Paranoid extensions set.
Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings include all ON1 settings.
ON2 settings (if already applied) require resetting (ON2 --> OFF --> ON2) after the current update.

Back3 · May 17, 2023

Made an image with Macrium. Trying the beta with F-Secure Safe and Firewall Hardening on Windows 11 version 22H2. So far, so good!

Back3 · May 19, 2023

Everything still runs OK. Had to whitelist a shortcut from OneDrive. That’s all.

Andy Ful · Jun 2, 2023

SWH vs. Horabot
https://blog.talosintelligence.com/new-horabot-targets-americas/
https://malwaretips.com/threads/new-horabot-campaign-targets-the-americas.123594/

I like the examples posted by @silversurfer.

They usually present a complex infection chain that can evade the protection of AVs. The Horabot campaign was started in November 2020 and has been ongoing through the year 2023. So, one can say that it was successful.

In purpose to evade AV protection, the attackers adopted the initial fileless attack vector. But, SWH settings are adjusted to prevent such attacks. In this concrete example, the attack will fail just after unpacking the initial script (CMD). But, in many cases, SWH is not required. Many attacks can be prevented by simple hardening, for example:

blocking batch scripts (BAT, CMD),
blocking the outbound connections of popular LOLBins (powershell.exe, wscript.exe, cscript.exe, mshta.exe ...) or simply blocking the execution of popular LOLBins.

Andy Ful · Jun 11, 2023

SWH ver. 2.1.1.1 beta 4.

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111_beta4.zip

No new features, just one GUI improvement to make SWH more idiot-proof.

This will most probably be the stable version when I sign it with a new certificate (at the end of June).

Edit.
Currently, I work on the new version which will be finished after a few months. It will include some new options:

Block User Folders via SRP (Desktop, Downloads).
Block non-system drives via WDAC.
Set SmartScreen to Block.

These new features will be integrated with RunBySmartscreen.

Andy Ful · Jul 5, 2023

SWH ver. 2.1.1.1 - support for Windows 11 ver. 22H2

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip

It is essentially the last beta with added new digital certificate. The work on the new features is still in progress.

Gandalf_The_Grey · Jul 5, 2023

Thanks @Andy Ful for keeping developing and updating your tools, much appreciated

New version running great and without any issues here.

Can you add NanaZip to the supported archiver applications?

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

The 7-Zip derivative intended for the modern Windows experience - GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

github.com

Is the new Outlook beta (olk.exe) a supported email client?

Andy Ful · Jul 5, 2023

Gandalf_The_Grey said:
Thanks @Andy Ful for keeping developing and updating your tools, much appreciated

Can you add NanaZip to the supported archiver applications?

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

The 7-Zip derivative intended for the modern Windows experience - GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

github.com

Is the new Outlook beta (olk.exe) a supported email client?

It is not necessary.
NanaZip uses the same temporary folder as 7-ZIP so it is automatically supported in SWH.
Outlook (olk.exe) does not allow opening EXE/MSI attachments, so the protection is applied even without enabling SWH option *Attachments and Archives*.

Xeno1234 · Sep 17, 2023

Does this tool on default settings enable "Device Guard" on windows?

Andy Ful · Monday at 4:29 AM

Xeno1234 said:
Does this tool on default settings enable "Device Guard" on windows?

No. You can try WHHLight:

New Update - Testing Windows Hybrid Hardening (new hardening application).

Windows Hybrid Hardening. (updated in September 2023) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/WHHLight_Package_1002.exe Menu options: SRP and Windows Policies settings: SmartScreen Block: WDAC restrictions (Windows built-in...

malwaretips.com

Search

New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools

czesetfan

Level 3

Andy Ful

From Hard_Configurator Tools

SeriousHoax

Level 46

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Back3

Level 13

Back3

Level 13

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Gandalf_The_Grey

Level 73

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

Andy Ful

From Hard_Configurator Tools

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

Xeno1234

Level 9

Andy Ful

From Hard_Configurator Tools

New Update - Testing Windows Hybrid Hardening (new hardening application).

Similar threads