Q&A Simple Windows Hardening

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
I have examined the attack techniques used in the AV-Comparatives test "Enhanced Real-World Test 2020 – Enterprise". The test was focused on Advanced Threat Protection – Targeted Attacks, Exploits, and Fileless Threats.

So, let's find out which of these advanced attacks can be prevented by Simple Windows Hardening default settings (and most Hard_Configurator setting profiles).

The 15 test scenarios used in this test are very briefly described below:
  1. This threat is introduced via Trusted Relationship. MSHTA launches an HTML application, which executes a staged Empire PowerShell payload.
  2. This threat is introduced via Trusted Relationship. A PowerShell script containing an AMSI bypass and a PowerShell Empire stager was executed.
  3. This threat is introduced via Trusted Relationship. Windows Scripting Host was used to download a PowerShell payload via an integrated Empire PowerShell Stager, combined with an AMSI bypass.
  4. This threat is introduced through Valid Accounts. The trusted Windows utility Microsoft Build Engine was used to proxy the execution of an Empire macro payload, which opens a command and control channel.
  5. This threat is introduced through Valid Accounts. A VBScript which spawns a PowerShell process and executes an Empire payload has been used.
  6. This threat is introduced through Valid Accounts. A batch file was used to execute an obfuscated PowerShell stager, download an obfuscated PoshC2.
  7. This threat is introduced via Removable Media (USB). A JavaScript executes an obfuscated PowerShell stager, which downloads and executes a PoshC2 PowerShell payload.
  8. This threat is introduced via Removable Media (USB). MSHTA.exe executes a PowerShell stager which launches a base64-encoded PoshC2 staged PowerShell payload.
  9. This threat is introduced via Removable Media (USB). A malicious Microsoft Office macro executes a PoshC2 PowerShell payload.
  10. This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL PoshC2.
  11. This threat is introduced via Spearphishing Attachment. A HTML application downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.
  12. This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL payload. This test case was created with Metasploit Meterpreter.
  13. This threat is introduced via Spearphishing Link. MSHTA.exe downloads and executes an obfuscated XSL payload. This test case was created with Metasploit Meterpreter.
  14. This threat is introduced via Spearphishing Link. A JavaScript downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.
  15. This threat is introduced via Spearphishing Link. exe downloads and executes a PowerShell stager which downloads and executes an encrypted PowerShell Empire staged PowerShell payload, combined with an AMSI bypass.

All these scenarios will be blocked if the attacker could not exploit some legal application to get command-line access (hardly possible on well-updated Windows 10 with well-updated software).

Anyway, even if such an exploit would exist then only one scenario (number 13) could be successful by running the command-line with Sponsor (MSHTA, etc.) to download/run the XSL payload. This would be prevented also by applying FirewallHardening with H_C recommended Blocklist.

The other scenarios will be prevented (even after exploiting) as follows:
The techniques described in points 1, 2, 3, 5, 6, 7, 8, 9, 10, 11, 12, 15 use scripts as payloads (PowerShell or Windows Script Host) that will not be executed due to SWH settings.
Techniques 4 and 9 use also VBA macros that are blocked by SWH settings.
Some techniques use AMSI bypass, but SWH settings do not mind it.
Most of the PowerShell payloads would be blocked even if the user would allow PowerShell scripting in SWH (and H_C), due to Constrained Language Mode which is the SRP restriction for PowerShell applied independently.
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
One could say that the paid Endpoint Security is not required in a business environment when anyone can use SWH settings for free. But this is not true for several reasons, because the business environment requires additional features to cover a much larger attack area. For example:
  1. The very important feature of a good Endpoint Security is collecting/filtering/analyzing the incidents from many machines connected to the local network.
  2. The business environment depends on remote management via the local network. This is usually related also to using scripts and network applications.
  3. Endpoint Security should protect users against attacks from the local network, especially when performed with high privileges.
These features (and some more) are not included in SWH settings, because they are intended for a home environment. SWH settings tend to isolate machines in a home network (blocked remote features, SMB protocols) and restrict scripting. So, SWH settings are not appropriate for a business environment.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
@Andy Ful is the standalone Documents Anti Exploit needed when using Simple Windows Hardening?
It is recommended in the below cases:
  1. MS Office version is installed which is not supported by Microsoft and WD ASR rules are not enabled.
  2. The MS Office hardening from SWH is too restrictive and cannot be applied.
The standalone Documents Anti-Exploit does not disable VBA for MS Office applications, but only in MS Office documents. It also applies some additional policies that can protect the user when ASR rules are not enabled.
 

Morro

Level 9
Verified
Jul 8, 2012
430
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?
 

ErzCrz

Level 8
Verified
Aug 19, 2019
373
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?

Did you do a full reboot after whitelisting or full logoff? It should prompt you when you whitelisted the folder. Have you tried "run by smartscreen" via right click. Sorry, I use H_C so it's not quite the same as what I use normally though works much the same in the background.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?
HI,
There is no need to whitelist the Application executables (*.exe and *.dll files) because they are already allowed by SWH. If the Application is blocked then another file (required by the application) is probably blocked by SWH. The details should be visible when you look into the log of blocked events (the blue <View Blocked Events> button).
Whitelisting the Application folder (like you did) can usually solve the blocking issue.

I installed the Soft Organizer 8.18. The installation was done without a problem. I can start the application without any whitelisting and successfully uninstalled 2 applications without any problem (no whitelisting required). Please post the info from the log of <View Blocked Events> .
I will also install Privazer soon, to see if it can be an issue.(y)
 

Morro

Level 9
Verified
Jul 8, 2012
430
HI,
There is no need to whitelist the Application executables (*.exe and *.dll files) because they are already allowed by SWH. If the Application is blocked then another file (required by the application) is probably blocked by SWH. The details should be visible when you look into the log of blocked events (the blue <View Blocked Events> button).
Whitelisting the Application folder (like you did) can usually solve the blocking issue.

I installed the Soft Organizer 8.18. The installation was done without a problem. I can start the application without any whitelisting and successfully uninstalled 2 applications without any problem (no whitelisting required). Please post the info from the log of <View Blocked Events> .
I will also install Privazer soon, to see if it can be an issue.(y)
Thank you for testing it out. :)

This is what the log shows. ( It is in Dutch. )

Description:
De beheerder heeft de toegang tot beperkt doordat het niveau van het standaardsoftwarerestrictiebeleid is aangepast.

It basically mentions that Applaunch.vbs is limited due to the fact that the level of the standard software restriction policy was altered?

EDIT: PrivaZer is working perfectly again, I doubt your program had anything to do with me having to de-install and re-installing. I had the same problem with it once before last year,
so long before I started using SWH.

EDIT 2: Problem solved ... placing the file AppLaunch.vbs on the whitelist solved it, I can start Soft Organizer again. :)
 
Last edited:

Back3

Level 7
Apr 14, 2019
309
How many scenarios are blocked if I only use the Windows Hardening part of SWH and block MSHTA.exe with my firewall?
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
I Installed & configured Privazer 4.0.17 and made a disk clean up. I noticed that Privazer did also run the Windows built-in cleanup application. After the cleanup, Soft Organizer stopped working properly - I could not use it via the icon from the taskbar notification area. But, I still could use it from the desktop. Uninstalled Privazer without problems. No whitelisting required. After reinstalling Soft Organizer it works properly.

The blocked entry is a VBS script (blocked by SRP). This file is absent in my installation probably because it is a free version.:)(y)

PS.
You can edit your post and remove the blocked path (for privacy).
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
I've read page 8-9. Most scenarios use Windows Script Host and PowerShell Scripts; Windows Hardening in SWH restrict those Scripts. So my antivirus protection would be enhanced just by using Windows Hardening. Am I right?
Yes. Windows Script Host and PowerShell scripts can also be blocked (by Administrator Policies) when setting *Admin Windows Script Host* and *Admin PowerShell Scripts* to Restricted. So, this will enhance the protection of most AVs. But, these options and all others available via <Windows Hardening> do not use SRP, so the blocked files cannot be whitelisted. If @Morro would use these settings he could not start Soft Organizer via AppLaunch.vbs .
 

Morro

Level 9
Verified
Jul 8, 2012
430
I Installed & configured Privazer 4.0.17 and made a disk clean up. I noticed that Privazer did also run the Windows built-in cleanup application. After the cleanup, Soft Organizer stopped working properly - I could not use it via the icon from the taskbar notification area. But, I still could use it from the desktop. Uninstalled Privazer without problems. No whitelisting required. After reinstalling Soft Organizer it works properly.

The blocked entry is a VBS script (blocked by SRP). This file is absent in my installation probably because it is a free version.:)(y)

PS.
You can edit your post and remove the blocked path (for privacy).

Yeah it is possible that it is a file only present with the PRO version. But I will keep an eye out next time I run PrivaZer ( I run it once a month. ) to see if Soft Organizer stops working properly.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
It is recommended in the below cases:
  1. MS Office version is installed which is not supported by Microsoft and WD ASR rules are not enabled.
  2. The MS Office hardening from SWH is too restrictive and cannot be applied.
The standalone Documents Anti-Exploit does not disable VBA for MS Office applications, but only in MS Office documents. It also applies some additional policies that can protect the user when ASR rules are not enabled.
After researching the recent development of attacks via weaponized documents I must change my recomendation for using the DocumentsAntiExploit tool. In the last year, the attack techniques not related to VBA macros became more and more popular, especially in weaponized Excel documents. These techniques are not well detected by AVs and not fully covered by AMSI and ASR rules in WD. So, I recommend using DocumentsAntiExploit tool with ON2 setting to enhance the protection of MS Office.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,615
After researching the recent development of attacks via weaponized documents I must change my recomendation for using the DocumentsAntiExploit tool. In the last year, the attack techniques not related to VBA macros became more and more popular, especially in weaponized Excel documents. These techniques are not well detected by AVs and not fully covered by AMSI and ASR rules in WD. So, I recommend using DocumentsAntiExploit tool with ON2 setting to enhance the protection of MS Office.
I'm using SWH. Is DocumentsAntiExploit tool in SWH? I thought I saw it inside SWH. Or needs to be used independently. If it's the latter where to download the standalone version? BTW, what is ON2?

Thanks
 
Last edited:
Top