New Update Simple Windows Hardening

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I have examined the attack techniques used in the AV-Comparatives test "Enhanced Real-World Test 2020 – Enterprise". The test was focused on Advanced Threat Protection – Targeted Attacks, Exploits, and Fileless Threats.
www.av-comparatives.org

Enhanced Real-World Test 2020 - Enterprise

AV-Comparatives released their Enhanced Real-World Test 2020 for Enterprise security products, testing the protection against advanced attacks
www.av-comparatives.org www.av-comparatives.org

So, let's find out which of these advanced attacks can be prevented by Simple Windows Hardening default settings (and most Hard_Configurator setting profiles).

The 15 test scenarios used in this test are very briefly described below:
  1. This threat is introduced via Trusted Relationship. MSHTA launches an HTML application, which executes a staged Empire PowerShell payload.
  2. This threat is introduced via Trusted Relationship. A PowerShell script containing an AMSI bypass and a PowerShell Empire stager was executed.
  3. This threat is introduced via Trusted Relationship. Windows Scripting Host was used to download a PowerShell payload via an integrated Empire PowerShell Stager, combined with an AMSI bypass.
  4. This threat is introduced through Valid Accounts. The trusted Windows utility Microsoft Build Engine was used to proxy the execution of an Empire macro payload, which opens a command and control channel.
  5. This threat is introduced through Valid Accounts. A VBScript which spawns a PowerShell process and executes an Empire payload has been used.
  6. This threat is introduced through Valid Accounts. A batch file was used to execute an obfuscated PowerShell stager, download an obfuscated PoshC2.
  7. This threat is introduced via Removable Media (USB). A JavaScript executes an obfuscated PowerShell stager, which downloads and executes a PoshC2 PowerShell payload.
  8. This threat is introduced via Removable Media (USB). MSHTA.exe executes a PowerShell stager which launches a base64-encoded PoshC2 staged PowerShell payload.
  9. This threat is introduced via Removable Media (USB). A malicious Microsoft Office macro executes a PoshC2 PowerShell payload.
  10. This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL PoshC2.
  11. This threat is introduced via Spearphishing Attachment. A HTML application downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.
  12. This threat is introduced via Spearphishing Attachment. VBScript downloads and executes an XSL payload. This test case was created with Metasploit Meterpreter.
  13. This threat is introduced via Spearphishing Link. MSHTA.exe downloads and executes an obfuscated XSL payload. This test case was created with Metasploit Meterpreter.
  14. This threat is introduced via Spearphishing Link. A JavaScript downloads and executes an obfuscated PowerShell payload. This test case was created with Metasploit Meterpreter.
  15. This threat is introduced via Spearphishing Link. exe downloads and executes a PowerShell stager which downloads and executes an encrypted PowerShell Empire staged PowerShell payload, combined with an AMSI bypass.

All these scenarios will be blocked if the attacker could not exploit some legal application to get command-line access (hardly possible on well-updated Windows 10 with well-updated software).

Anyway, even if such an exploit would exist then only one scenario (number 13) could be successful by running the command-line with Sponsor (MSHTA, etc.) to download/run the XSL payload. This would be prevented also by applying FirewallHardening with H_C recommended Blocklist.

The other scenarios will be prevented (even after exploiting) as follows:
The techniques described in points 1, 2, 3, 5, 6, 7, 8, 9, 10, 11, 12, 15 use scripts as payloads (PowerShell or Windows Script Host) that will not be executed due to SWH settings.
Techniques 4 and 9 use also VBA macros that are blocked by SWH settings.
Some techniques use AMSI bypass, but SWH settings do not mind it.
Most of the PowerShell payloads would be blocked even if the user would allow PowerShell scripting in SWH (and H_C), due to Constrained Language Mode which is the SRP restriction for PowerShell applied independently.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Back3, Nevi, Protomartyr and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
One could say that the paid Endpoint Security is not required in a business environment when anyone can use SWH settings for free. But this is not true for several reasons, because the business environment requires additional features to cover a much larger attack area. For example:
  1. The very important feature of a good Endpoint Security is collecting/filtering/analyzing the incidents from many machines connected to the local network.
  2. The business environment depends on remote management via the local network. This is usually related also to using scripts and network applications.
  3. Endpoint Security should protect users against attacks from the local network, especially when performed with high privileges.
These features (and some more) are not included in SWH settings, because they are intended for a home environment. SWH settings tend to isolate machines in a home network (blocked remote features, SMB protocols) and restrict scripting. So, SWH settings are not appropriate for a business environment.
 
  • Like
Reactions: Nevi, ColonelMal, Gilbert2020 and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Gandalf_The_Grey said:
@Andy Ful is the standalone Documents Anti Exploit needed when using Simple Windows Hardening?
Click to expand...
It is recommended in the below cases:
  1. MS Office version is installed which is not supported by Microsoft and WD ASR rules are not enabled.
  2. The MS Office hardening from SWH is too restrictive and cannot be applied.
The standalone Documents Anti-Exploit does not disable VBA for MS Office applications, but only in MS Office documents. It also applies some additional policies that can protect the user when ASR rules are not enabled.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Nevi, Protomartyr, Deletedmessiah and 5 others
Morro

Morro

Level 18
Verified
Top Poster
Well-known
Jul 8, 2012
894
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?
 
  • Like
Reactions: Andy Ful, Gandalf_The_Grey, Nevi and 2 others
ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,157
Morro said:
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?
Click to expand...

Did you do a full reboot after whitelisting or full logoff? It should prompt you when you whitelisted the folder. Have you tried "run by smartscreen" via right click. Sorry, I use H_C so it's not quite the same as what I use normally though works much the same in the background.
 
  • Like
Reactions: Protomartyr, Andy Ful, Gandalf_The_Grey and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Morro said:
Okay, a short while ago I started using this software program ...

Now till yesterday there where no problems between it and other software. Well there still is not a real problem, what I discovered is actually more annoying then a problem.

I use Soft Organizer PRO ( A GoTD from last year. ) and it has a lifetime license. ( But no upgrades as is often the case with GoTD's. )

This is it's website: Soft Organizer 8.18 - Free Program Uninstallation Utility (chemtable.com)

I really like Soft Organizer for installing and de-installing software. It simple works the best in my opinion. :) Today I had to de-install and re-install PrivaZer for some reason, so I tried to start up Soft Organizer PRO ... but Simple Windows hardening stopped it from starting up. Now Simple Windows Hardening has a whitelist option, so I added Soft Organizer to the Whitelist. ( Both by folder and after that by file, I even tried both at once? ) But Simple Windows Hardening still does not allow Soft Organizer to start ... even though I can use Soft Organizer to install software without a problem?

Now I can temporarily stop SWH and then restart it after de-installing a piece of software ( Which I did for PrivaZer today. ) but I am not sure why SWH still does not allow me to start Soft Organizer PRO after I placed it on the Whitelist? ( Am I doing something wrong here? ) And yeah there are other software programs that can help with de-installing software ... like Revo-Uninstaller, BC Uninstaller and IOBit Uninstaller to name a few. But in my opinion none of those are able to remove remaining traces of software as good as Soft Organizer can after de-installing a piece of software. ( Especially not when you installed that software with Soft Organizer before. )

Is there any one who has an idea about this annoying thing I mentioned above?
Click to expand...
HI,
There is no need to whitelist the Application executables (*.exe and *.dll files) because they are already allowed by SWH. If the Application is blocked then another file (required by the application) is probably blocked by SWH. The details should be visible when you look into the log of blocked events (the blue <View Blocked Events> button).
Whitelisting the Application folder (like you did) can usually solve the blocking issue.

I installed the Soft Organizer 8.18. The installation was done without a problem. I can start the application without any whitelisting and successfully uninstalled 2 applications without any problem (no whitelisting required). Please post the info from the log of <View Blocked Events> .
I will also install Privazer soon, to see if it can be an issue.(y)
 
  • Like
  • +Reputation
Reactions: Protomartyr, ForgottenSeer 85179, Morro and 2 others
Morro

Morro

Level 18
Verified
Top Poster
Well-known
Jul 8, 2012
894
Andy Ful said:
HI,
There is no need to whitelist the Application executables (*.exe and *.dll files) because they are already allowed by SWH. If the Application is blocked then another file (required by the application) is probably blocked by SWH. The details should be visible when you look into the log of blocked events (the blue <View Blocked Events> button).
Whitelisting the Application folder (like you did) can usually solve the blocking issue.

I installed the Soft Organizer 8.18. The installation was done without a problem. I can start the application without any whitelisting and successfully uninstalled 2 applications without any problem (no whitelisting required). Please post the info from the log of <View Blocked Events> .
I will also install Privazer soon, to see if it can be an issue.(y)
Click to expand...
Thank you for testing it out. :)

This is what the log shows. ( It is in Dutch. )

Description:
De beheerder heeft de toegang tot beperkt doordat het niveau van het standaardsoftwarerestrictiebeleid is aangepast.

It basically mentions that Applaunch.vbs is limited due to the fact that the level of the standard software restriction policy was altered?

EDIT: PrivaZer is working perfectly again, I doubt your program had anything to do with me having to de-install and re-installing. I had the same problem with it once before last year,
so long before I started using SWH.

EDIT 2: Problem solved ... placing the file AppLaunch.vbs on the whitelist solved it, I can start Soft Organizer again. :)
 
Last edited:
  • Like
  • +Reputation
Reactions: Protomartyr, Andy Ful, harlan4096 and 1 other person
B

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
668
How many scenarios are blocked if I only use the Windows Hardening part of SWH and block MSHTA.exe with my firewall?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I Installed & configured Privazer 4.0.17 and made a disk clean up. I noticed that Privazer did also run the Windows built-in cleanup application. After the cleanup, Soft Organizer stopped working properly - I could not use it via the icon from the taskbar notification area. But, I still could use it from the desktop. Uninstalled Privazer without problems. No whitelisting required. After reinstalling Soft Organizer it works properly.

The blocked entry is a VBS script (blocked by SRP). This file is absent in my installation probably because it is a free version.:)(y)

PS.
You can edit your post and remove the blocked path (for privacy).
 
Last edited:
  • Like
Reactions: Morro, Protomartyr, ForgottenSeer 85179 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
  • Like
Reactions: Protomartyr, ForgottenSeer 85179, Gandalf_The_Grey and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Back3 said:
I've read page 8-9. Most scenarios use Windows Script Host and PowerShell Scripts; Windows Hardening in SWH restrict those Scripts. So my antivirus protection would be enhanced just by using Windows Hardening. Am I right?
Click to expand...
Yes. Windows Script Host and PowerShell scripts can also be blocked (by Administrator Policies) when setting *Admin Windows Script Host* and *Admin PowerShell Scripts* to Restricted. So, this will enhance the protection of most AVs. But, these options and all others available via <Windows Hardening> do not use SRP, so the blocked files cannot be whitelisted. If @Morro would use these settings he could not start Soft Organizer via AppLaunch.vbs .
 
  • Like
  • Thanks
Reactions: Deletedmessiah, Morro, Protomartyr and 3 others
Morro

Morro

Level 18
Verified
Top Poster
Well-known
Jul 8, 2012
894
Andy Ful said:
I Installed & configured Privazer 4.0.17 and made a disk clean up. I noticed that Privazer did also run the Windows built-in cleanup application. After the cleanup, Soft Organizer stopped working properly - I could not use it via the icon from the taskbar notification area. But, I still could use it from the desktop. Uninstalled Privazer without problems. No whitelisting required. After reinstalling Soft Organizer it works properly.

The blocked entry is a VBS script (blocked by SRP). This file is absent in my installation probably because it is a free version.:)(y)

PS.
You can edit your post and remove the blocked path (for privacy).
Click to expand...

Yeah it is possible that it is a file only present with the PRO version. But I will keep an eye out next time I run PrivaZer ( I run it once a month. ) to see if Soft Organizer stops working properly.
 
  • Like
Reactions: Andy Ful and Protomartyr
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Andy Ful said:
It is recommended in the below cases:
  1. MS Office version is installed which is not supported by Microsoft and WD ASR rules are not enabled.
  2. The MS Office hardening from SWH is too restrictive and cannot be applied.
The standalone Documents Anti-Exploit does not disable VBA for MS Office applications, but only in MS Office documents. It also applies some additional policies that can protect the user when ASR rules are not enabled.
Click to expand...
After researching the recent development of attacks via weaponized documents I must change my recomendation for using the DocumentsAntiExploit tool. In the last year, the attack techniques not related to VBA macros became more and more popular, especially in weaponized Excel documents. These techniques are not well detected by AVs and not fully covered by AMSI and ASR rules in WD. So, I recommend using DocumentsAntiExploit tool with ON2 setting to enhance the protection of MS Office.
 
  • Like
  • Thanks
  • +Reputation
Reactions: HarborFront, Deletedmessiah, Gandalf_The_Grey and 4 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,139
Andy Ful said:
After researching the recent development of attacks via weaponized documents I must change my recomendation for using the DocumentsAntiExploit tool. In the last year, the attack techniques not related to VBA macros became more and more popular, especially in weaponized Excel documents. These techniques are not well detected by AVs and not fully covered by AMSI and ASR rules in WD. So, I recommend using DocumentsAntiExploit tool with ON2 setting to enhance the protection of MS Office.
Click to expand...
I'm using SWH. Is DocumentsAntiExploit tool in SWH? I thought I saw it inside SWH. Or needs to be used independently. If it's the latter where to download the standalone version? BTW, what is ON2?

Thanks
 
Last edited:
  • Like
Reactions: Andy Ful, harlan4096 and Protomartyr

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,430
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
293
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,111
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top