New Update Simple Windows Hardening

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
There can be many advantages of strong firewall restrictions, especially in business networks.
Some of these advantages are still welcome at home. Of course, one can use complex firewall hardening alongside SWH, and even with policies made by the FirewallHardening tool.
Svchost is only one of many Windows executables that can be abused for outbound connections. Furthermore, it is not the most popular way because abusing Svchost requires high privileges. It is often used to hide malicious actions and get persistence on the heavily compromised system.

Edit.
For most users, hardening methods like restricting Svchost by the firewall are too complex and inconvenient in daily work.
I think that at home, the monitoring/blocking (auto) Run keys in the Windows Registry would be much easier to fight CryptoMiners.(y)
 
Last edited:
  • Like
Reactions: [correlate], Nevi, SeriousHoax and 1 other person
L

Local Host

Andy Ful said:
There can be many advantages of strong firewall restrictions, especially in business networks.
Some of these advantages are still welcome at home. Of course, one can use complex firewall hardening alongside SWH, and even with policies made by the FirewallHardening tool.
Svchost is only one of many Windows executables that can be abused for outbound connections. Furthermore, it is not the most popular way because abusing Svchost requires high privileges. It is often used to hide malicious actions and get persistence on the heavily compromised system.

Edit.
For most users, hardening methods like restricting Svchost by the firewall are too complex and inconvenient in daily work.
I think that at home, the monitoring/blocking (auto) Run keys in the Windows Registry would be much easier to fight CryptoMiners.(y)
Click to expand...
Oh trust me, svhost is not blocked alone, and certainly not only outbound connections (but also inbound), as for having the regedit secured, it already is (cause the WF is extremely easy to bypass without specific restrictions).

You don't need admin rights to add firewall rules by default, this problem with Windows and all it's APIs that make it easy to bypass UAC and prompts.

I also agree this kind of setup is too complex for average users, I use it for myself and not on others machines, I not running any AV, all I need is the firewall.

There no simple way to allow only Microsoft IPs cause of their CDNs.
 
  • Like
Reactions: [correlate], Nevi, SeriousHoax and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
Local Host said:
The Windows Firewall logs can tell the difference between Inbound and Outbound traffic (among many other details), it only needs to be enabled (native option).
....
Click to expand...
The problem is not that Windows can or cannot tell the difference. The event Id=5152 (or 5157) is used to log both inbound and outbound connections. On Windows 10, the inbound connections can be blocked via Windows settings many times per one minute, so it is very inconvenient to find the outbound events in the Windows Event Log. One has to use the external filtering program (PowerShell or 3rd party tool).
 
  • Like
Reactions: [correlate], Nevi, SeriousHoax and 2 others
L

Local Host

Andy Ful said:
The problem is not that Windows can or cannot tell the difference. The event Id=5152 (or 5157) is used to log both inbound and outbound connections. On Windows 10, the inbound connections can be blocked via Windows settings many times per one minute, so it is very inconvenient to find the outbound events in the Windows Event Log. One has to use the external filtering program (PowerShell or 3rd party tool).
Click to expand...
The problem is you trying to check Windows Firewall logs on Event Viewer, instead of checking the actual Windows Firewall logs (which is disabled by default).

Opening the actual Windows Firewall logs in Excel you can filter it however you want, without the need for third-party Software (you honestly don't need Excel, but makes it easier).

Is honestly more work than it's worth either way, average users should rely on WFC.
 
  • Like
Reactions: [correlate], Andy Ful, Nevi and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
Local Host said:
The problem is you trying to check Windows Firewall logs on Event Viewer, instead of checking the actual Windows Firewall logs (which is disabled by default).

Opening the actual Windows Firewall logs in Excel you can filter it however you want, without the need for third-party Software (you honestly don't need Excel, but makes it easier).

Is honestly more work than it's worth either way, average users should rely on WFC.
Click to expand...
Yes. The advanced user can use any software that can get/filter events from the Windows Logs. There are PowerShell scripts that can do this, available for everyone. I prefer to use the WevtUtil tool (Windows system tool) to get the events and a simple piece of my code to filter/format/write the interesting events into the TXT file. I did not find the more convenient and faster way to do it (including Excel, etc.).

For example, on my computer (Windows 10), there are about 65000 events in the Security log (MAX size doubled as compared to the default value). About 60000 are related to the blocked inbound connections of Svchost (Id=5152) and about 100 to all blocked outbound connections (Id=5152). Most of the blocked outbound connections are related to the FirewallHardening tool ()All LOLBins blocked). Usually, the Compattelrunner, Explorer, and RunDll32 are blocked (telemetry connections). Slightly fewer inbound events are logged via Id=5157.
On Windows 7, the number of blocked inbound events is many times smaller.
 
Last edited:
  • Like
Reactions: oldschool, Local Host and [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
Telos said:
If it were only that simple. There is no reboot, and I am unable to enter BIOS settings. I will attempt a CMOS reset (remove / replace CMOS battery) tomorrow. A "disheartening experience" is an understatement.
Click to expand...
If so, then the issue is probably not related to SWH.
 
  • Like
Reactions: oldschool and [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
Telos said:
If it were only that simple. There is no reboot, and I am unable to enter BIOS settings. I will attempt a CMOS reset (remove / replace CMOS battery) tomorrow. A "disheartening experience" is an understatement.
Click to expand...
I had a similar issue many years ago on Windows 7 and I saw it once on the XP computer of my friend. Before taking the extreme solutions it is recommended to try this (after computer cold shutdown):
"One of the things I would suggest you to remove any external devices attached to the computer apart from keyboard and mouse and check if that helps."

In my case that was an error related to the printer. Everything worked well again after disconnecting the printer. In another case, the issue was related to the USB port.
Generally, such behavior is related to drivers' errors that can happen randomly and it is usually hard to find the cause of the instability.
The computer cold shutdown is recommended because many machines use fast startup (do not shut down but hibernate).
 
Last edited:
  • Like
Reactions: [correlate], harlan4096, South Park and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
SimpleWindowsHardening vs. APT attacks.

Thank @Correlate I recalled an article about possible weaknesses of Endpoint Detection Response software (Some time ago I made a thread about it on MT):
https://malwaretips.com/threads/end...s-against-advanced-persistent-threats.109745/
https://malwaretips.com/threads/end...ackers-have-evolved-part-1.106619/post-970740

The full research article can be found here:

Attack Vectors
  • A .cpl file: A DLL file which can be executed by double-clicking under the context of the rundll32 LOLBINS which can execute code maliciously under its context. The file has been crafted using CPLResourceRunner9 . To this end, we use a shellcode storage technique using Memory-mapped files (MMF) [17] and then trigger it using delegates, ...
  • A legitimate Microsoft (MS) Teams installation that will load a malicious DLL. In this regard, DLL side-loading10 will lead to a self-injection, thus, allowing us to ”live” under a signed binary...
  • An unsigned PE executable file; from now on referred to as EXE, that will execute process injection using the “Early Bird” technique of AQUARMOURY into werfault.exe. For this, we spoofed the parent of explorer.exe using the PROC THREAD ATTRIBUTE MITIGATION POLICY flag to protect our malware from an unsigned by Microsoft DLL event that is commonly used by EDRs for processes monitoring.
  • An HTA file. Once the user visits a harmless HTML page containing an IFrame, he will be redirected and prompted to run an HTML file infused with executable VBS code that will load the .NET code provided in Listing 2 perform self-injection under the context of mshta.exe.
I skipped the attack vector related to DLL side-loading because it was related to the lateral movement (common in Enterprises). The attacker had to drop the malicious DLL that was a modified system DLL (the original DLL is normally located in the "c:\Windows\system32" folder) to the application folder of Microsoft Teams (already installed in the system).

When looking at the Defender results it can be seen that SWH + Microsoft Defender for Endpoints (Defender with advanced settings) could prevent all attack vectors (except lateral movement).

It is interesting that many products missed the fileless attacks via CPL or HTA files (blocked by SWH):
Carbon Black, Comodo, CrowdStrike, Elastic, F-Secure, Microsoft, Panda, Sentinel, Symantec, TrendMicro.
 
Last edited:
  • Like
  • Applause
Reactions: Zartarra, Tutman, SeriousHoax and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
SWH vs. malware

Thank @Gandalf_The_Grey I examined the new Zloader Campaign:
https://malwaretips.com/threads/microsoft-code-sign-check-bypassed-to-drop-zloader-malware.111797/
https://research.checkpoint.com/202...signature-verification-putting-users-at-risk/

The infection chain will be stopped by SWH on level 3 (BAT file blocked):

1641399603004.png


This attack uses the MSI installer with a valid EV certificate, so this installer can bypass Windows SmartScreen and most AVs (this installer does not contain malicious code). Of course, the attack can be detected when "true" malicious code will be downloaded and executed (level 6). Such malware is used in the targeted attacks:

It is unclear how the threat actors tricked the victims into downloading the malicious file, but it could be through cracks found on pirated software resources or spear-phishing emails.
https://www.bleepingcomputer.com/ne...-sign-check-bypassed-to-drop-zloader-malware/
Click to expand...

It seems that this campaign was quite successful:

1641401308501.png
 
  • +Reputation
  • Like
  • Applause
Reactions: ForgottenSeer 92963, plat, Tutman and 5 others
South Park

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
Tutman said:
Is there any script we can use to test the blocking of Simple/Hard Configuration to test of blocking scripts,powershell, bat files etc?
Click to expand...
I use this test script from Guy Thomas. You can change the extension from .txt to .vbs and try to run it, then try whitelisting it e.g. by path. When it runs, it displays some information about your system.
 

Attachments

  • test.vbs.txt
    1 KB · Views: 191
  • Like
  • Thanks
Reactions: Zartarra, Kongo, Tutman and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
Tutman said:
Is there any script we can use to test the blocking of Simple/Hard Configuration to test of blocking scripts,powershell, bat files etc?
Click to expand...
You can use any script you want.
You can even create an empty text file and change its extension from .txt to .vbs, .js. .bat, .ps1, etc.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: robboman, Zartarra, harlan4096 and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
SWH vs. Log4Shell attacks

Log4Shell is an exploit for CVE-2021-44228 (a critical vulnerability in Apache Log4j disclosed in December).

The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers’ software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.

www.microsoft.com

Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability - Microsoft Security Blog

Microsoft is tracking threats taking advantage of the remote code execution (RCE) vulnerability in Apache Log4j 2. Get technical info and guidance for using Microsoft security solutions to protect against attacks.
www.microsoft.com
Click to expand...

The example of the fileless infection chain used recently in the wild:

1642002696437.png


research.checkpoint.com

APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research

Introduction With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an...
research.checkpoint.com research.checkpoint.com

SWH will break the infection chain due to PowerShell restrictions.
 
  • Like
Reactions: robboman, Tutman, silversurfer and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,478
SWH vs. GootLoader.

Operators of the GootLoader campaign are setting their sights on employees of accounting and law firms as part of a fresh onslaught of widespread cyberattacks to deploy malware on infected systems, an indication that the adversary is expanding its focus to other high-value targets.

https://malwaretips.com/threads/goo...employees-of-law-and-accounting-firms.111933/
https://thehackernews.com/2022/01/gootloader-hackers-targeting-employees.html

Malware analysis (from previous campaign):
https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
Click to expand...
"GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to fashioning the payload," said Keegan Keplinger, research and reporting lead for eSentire's Threat Response Unit (TRU).

"GootLoader's operators invite employees to seek, download, and execute their malware under the guise of a free business agreement template. This is particularly effective against legal firms, who may encounter uncommon requests from clients."
Click to expand...

1642089507213.png



This attack vector can be used also against home users via widespread spam campaigns. The user gets an email with a direct link to something interesting. In fact, it is a direct link to the malicious script.
SWH can block such malware via scripting restrictions.
 
Last edited:
  • Like
  • Applause
Reactions: Nevi, [correlate], Tutman and 5 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,413
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
292
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,074
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top