New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Magniber JavaScript variant
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

Previously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing campaigns distributing the ransomware in JavaScript files.

The JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET executable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses detection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system. The .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process – first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the victim’s files (Figure 2).

1665762415771.png

Figure 2 – Magniber infection chain
Interestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including pre-release versions. This suggests that home users rather than enterprises were the intended targets of the campaign, since enterprises tend to use older operating systems.

Like in the previous Magniber campaign (CPL file), this one is easily blocked by SWH. But, the rest will depend on the user, because Magniber is often promoted as the system (software) update/upgrade, so many users can be fooled to turn off the protection. This is probable especially when they are looking for pirated content.
 

czesetfan

Level 3
Dec 3, 2021
149
I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it. :unsure:
Hi. Has there been any progress on this?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hi. Has there been any progress on this?
I am still not sure if the progress is necessary, here. The developer tools can be used by attackers, just like some other LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hello Andy! I saw you talking about H_C not working on Windows 11 22H2. So is it the same for Simple Windows Hardening?
To be precise, currently, the SRP settings in H_C (and SWH) will work on Windows 11 22H2 when:
  • Windows is upgraded from Windows 10.
  • Windows is updated from Windows 11 21H2 (or the prior version).
For now, SRP does not work when
  • Windows 22H2 has been installed (clean install).
  • Windows 22H2 has been refreshed.
All other settings in H_C (SWH) which are not related to SRP will work as usual.
There is no info from Microsoft if the SRP issue is a bug or not.
I noticed a close relationship between this issue and the installation of Smart App Control. When SRP works on Windows 11 22H2, the SAC is not installed.

Edit.
I updated the info in the OP.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Batloader
https://www.microsoft.com/en-us/sec...to-deliver-royal-ransomware-various-payloads/
https://malwaretips.com/threads/dangerous-batloader-malware-dropper.118627/post-1011278
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

1670454018935.png

Figure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain

SWH can block such attacks in default settings via PowerShell restrictions (blocked script execution) or SRP restrictions for BAT scripts (level 2 in Figure 4).
The Batloader can execute PowerShell malware embedded in the MSI file, but it does not execute the PowerShell code in memory via CmdLine. The malware uses the MSI PowerShellScriptInline custom action, so the malicious PowerShell script code is dropped to disk as PS1 script and executed during software installation.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH ver. 2.1.1.1 beta.


No need to remove the older SWH settings.

What is new:
  1. Added support for Windows 11 ver. 22H2
  2. Added the ONE extension (OneNote document) to the Paranoid extensions set.
  3. Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings include all ON1 settings.
    ON2 settings (if already applied) require resetting (ON2 --> OFF --> ON2) after the current update.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Horabot
https://blog.talosintelligence.com/new-horabot-targets-americas/
https://malwaretips.com/threads/new-horabot-campaign-targets-the-americas.123594/

I like the examples posted by @silversurfer. :)
They usually present a complex infection chain that can evade the protection of AVs. The Horabot campaign was started in November 2020 and has been ongoing through the year 2023. So, one can say that it was successful.


1685719062627.png


In purpose to evade AV protection, the attackers adopted the initial fileless attack vector. But, SWH settings are adjusted to prevent such attacks. In this concrete example, the attack will fail just after unpacking the initial script (CMD). But, in many cases, SWH is not required. Many attacks can be prevented by simple hardening, for example:
  • blocking batch scripts (BAT, CMD),
  • blocking the outbound connections of popular LOLBins (powershell.exe, wscript.exe, cscript.exe, mshta.exe ...) or simply blocking the execution of popular LOLBins.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH ver. 2.1.1.1 beta 4.

No new features, just one GUI improvement to make SWH more idiot-proof.:)
This will most probably be the stable version when I sign it with a new certificate (at the end of June).

Edit.
Currently, I work on the new version which will be finished after a few months. It will include some new options:
  1. Block User Folders via SRP (Desktop, Downloads).
  2. Block non-system drives via WDAC.
  3. Set SmartScreen to Block.
These new features will be integrated with RunBySmartscreen.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks @Andy Ful for keeping developing and updating your tools, much appreciated (y)

Can you add NanaZip to the supported archiver applications?

Is the new Outlook beta (olk.exe) a supported email client?
It is not necessary.
NanaZip uses the same temporary folder as 7-ZIP so it is automatically supported in SWH.
Outlook (olk.exe) does not allow opening EXE/MSI attachments, so the protection is applied even without enabling SWH option *Attachments and Archives*.:) (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Which successful attacks could have been prevented by deploying WSH ? :unsure:
Advanced Threat Protection Test 2023 - Consumer

The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file. Additional information:
We use system programs designed to evade signature-based detection, while also exploiting the versatility of popular scripting languages such as JavaScript, batch files, PowerShell and Visual Basic scripts.
In the consumer test, an admin account is targeted, although every POC is executed using only a standard-user account, with medium integrity.

  1. Flash drive ---> ZIP ---> ISO ---> EXE
    Not blocked in default settings, except when the user opens files from flash drives via "Run By SmartScreen" (as recommended in the SWH documentation).
    Such attacks can be also prevented by adding the ISO extension to SRP or using the "Paranoid extensions" option in SWH. But this can only work if ISO files are opened by a dedicated application like PowerISO, 7-ZIP, etc.
    To prevent other popular variants, one has to also add such extensions as IMG, VHD, and VHDX (included in "Paranoid extensions").
  2. Flash drive ---> JS
    Blocked by default.
  3. Flash drive ---> CPL
    Blocked by default.
  4. JS dropped and executed
    Blocked by default.
  5. HTML smuggling or Email attachment ---> EXE
    If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
    If the file is dropped via email client, it will be blocked by SWH.
  6. HTML smuggling or Email attachment ---> JS
    Blocked by default.
  7. HTML smuggling or Email attachment ---> EXE
    If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
    If the file is dropped via email client, it will be blocked by SWH.
  8. Spearphishing Link ---> MSI
    Blocked by SmartScreen for Explorer.
  9. Spearphishing Link ---> EXE
    Blocked by SmartScreen for Explorer.
  10. Spearphishing Link ---> Office document ---> patching AMSI (VBA code) ---> malicious macro or script
    If MS Office is patched (no 0-day exploit), the attack can be blocked by DocumentsAntiExploit (tool included in SWH to protect MS Office).
  11. HTML smuggling or Email attachment ---> PIF
    Blocked by default.
  12. HTML smuggling or Email attachment ---> EXE
    If the EXE file is dropped via a web browser, it will be blocked by SmartScreen for Explorer.
    If the file is dropped via email client, it will be blocked by SWH.
  13. PS1 dropped and executed
    Blocked by default.
  14. HTA dropped and executed by the user
    Blocked by default.
  15. HTML smuggling or Email attachment ---> JS
    Blocked by default.
In rare cases, the attacks assumed to be blocked by SmartScreen can succeed in the wild. For example when the EXE or MSI 0-day malware is digitally signed with an EV certificate.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
There are some DLL hijacking techniques that could bypass SmartScreen, but they were skipped in the test. Generally, I recommend using "Run By SmartScreen" to execute unknown EXE files. "Run By SmartScreen" can prevent bypassing SmartScreen via DLL hijacking.
 
F

ForgottenSeer 103564

The report lacks some important details, so I assumed the techniques mostly used in attacks via the Internet. So, all attacks require user interaction to run the dropped file.
Run by smart screen to achieve elevated status.

Basically, don't click these without verification of file, back to the basics. I'm trying to understand the point of such a test other then to see if the security will stop it after the user says "sure go ahead". 🤔🤪🤦

@Andy Ful don't laugh to hard, couldn't resist.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top