Yes. The new version 1.0.1.1 will be pushed in a few weeks.
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
SWH vs. Emotet spam campaigns
www.trendmicro.com
malwaretips.com
I posted several examples of attacks in the wild that could be easily prevented by SWH. So, it is time to post an example that could bypass SWH alone (but not with ConfigureDefender HIGH settings, or FirewallHardening, or DocumentsAntiExploit tool).
This attack vector (via Excel 4.0 Macros) is blocked in SWH ver. 2.0.0.0 by applying the Recommended Settings (including the DocumentsAntiExploit tool).
Infection chain (delivery stage in blue):
Spam email --> Excel document --> Excel 4.0 macro --> cmd[.]exe --> Mshta LOLBin downloads/executes the paylod
What was the problem for SWH?
SWH uses system-wide features to harden the system and Microsoft Office applications. Unfortunately, Microsoft adopted the system-wide policy only to disable the VBA support in MS Office (including VBA macros), but there are only non-system-wide policies to disable Excel 4.0 macros. So, in the attack via XLS legacy documents the Excel 4.0 macros were not disabled by SWH. If the user was fooled by the attacker to allow macros (blocked by default in MS Office) then the malicious macro could be executed.
In earlier versions of SWH (prior the ver. 1.1.1.1) this attack could be blocked only when the Paranoid extensions were applied in SWH.
Why this is not a problem for ConfigureDefender, FirewallHardening, or DocumentsAntiExploit tools?
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
Emotet Now Using Unconventional IP Address Formats to Evade Detection
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP...
malwaretips.com
I posted several examples of attacks in the wild that could be easily prevented by SWH. So, it is time to post an example that could bypass SWH alone (but not with ConfigureDefender HIGH settings, or FirewallHardening, or DocumentsAntiExploit tool).
This attack vector (via Excel 4.0 Macros) is blocked in SWH ver. 2.0.0.0 by applying the Recommended Settings (including the DocumentsAntiExploit tool).
Infection chain (delivery stage in blue):
Spam email --> Excel document --> Excel 4.0 macro --> cmd[.]exe --> Mshta LOLBin downloads/executes the paylod
What was the problem for SWH?
SWH uses system-wide features to harden the system and Microsoft Office applications. Unfortunately, Microsoft adopted the system-wide policy only to disable the VBA support in MS Office (including VBA macros), but there are only non-system-wide policies to disable Excel 4.0 macros. So, in the attack via XLS legacy documents the Excel 4.0 macros were not disabled by SWH. If the user was fooled by the attacker to allow macros (blocked by default in MS Office) then the malicious macro could be executed.
In earlier versions of SWH (prior the ver. 1.1.1.1) this attack could be blocked only when the Paranoid extensions were applied in SWH.
Why this is not a problem for ConfigureDefender, FirewallHardening, or DocumentsAntiExploit tools?
- ConfigureDefender settings will block the child process (cmd[.]exe) via the ASR rule,
- FirewallHardening will prevent Mshta LOLBin from downloading the payload,
- DocumentsAntiExploit tool can harden MS Office applications via non-system-wide policies and Excel 4.0 macros will be blocked.
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
Last edited:
SWH vs. Warzone (aka AveMaria) and AgentTesla campaigns
As a supplement to my previous post, here are examples of recent campaigns with VBA macros (blocked by SWH).
malwaretips.com
www.bleepingcomputer.com
In these examples, the PowerPoint document is used instead of Excel.
Spam email --> PowerPoint document --> VBA macro --> wscript[.]exe --> PowerShell and Mshta LOLBins download/execute the paylods
PowerPoint and Word use VBA macros (cannot use directly Excel 4.0 macros).
SWH will block VBA code, so the attack can be stopped at the delivery stage - malicious code will not be executed at all.
As a supplement to my previous post, here are examples of recent campaigns with VBA macros (blocked by SWH).
Malicious PowerPoint files used to push remote access trojans
Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. According to a report by Netskope’s Threat Labs shared with Bleeping Computer before...
malwaretips.com
Phishing campaign uses PowerPoint macros to drop Agent Tesla
A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.
In these examples, the PowerPoint document is used instead of Excel.
Spam email --> PowerPoint document --> VBA macro --> wscript[.]exe --> PowerShell and Mshta LOLBins download/execute the paylods
PowerPoint and Word use VBA macros (cannot use directly Excel 4.0 macros).
SWH will block VBA code, so the attack can be stopped at the delivery stage - malicious code will not be executed at all.
Last edited:
In the infection chain Windows Script Host is used by the malware. What is the main reason why you decided not to restrict it in the recommended settings?SWH vs. Warzone (aka AveMaria) and AgentTesla campaigns
As a supplement to my previous post, here are examples of recent campaigns with VBA macros (blocked by SWH).
Malicious PowerPoint files used to push remote access trojans
Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. According to a report by Netskope’s Threat Labs shared with Bleeping Computer before...Phishing campaign uses PowerPoint macros to drop Agent Tesla
A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.
In these examples, the PowerPoint document is used instead of Excel.
Spam email --> PowerPoint document --> VBA macro --> wscript[.]exe --> PowerShell and Mshta LOLBins download/execute the paylods
PowerPoint and Word use VBA macros (cannot use directly Excel 4.0 macros).
SWH will block VBA code, so the malicious code will not be executed at all.
Gandalf_The_Grey
Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
When one uses other tools adding the DocumentsAntiExploit tool would be sufficient to stop these attacks?SWH vs. Emotet spam campaigns
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
Emotet Now Using Unconventional IP Address Formats to Evade Detection
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP...
I posted several examples of attacks in the wild that could be easily prevented by SWH. So, it is time to post an example that could bypass SWH alone (but not with ConfigureDefender HIGH settings, or FirewallHardening, or DocumentsAntiExploit tool).
Infection chain:
Spam email --> Excel document --> Excel 4.0 macro --> cmd[.]exe --> Mshta LOLBin downloads/executes the paylod
What is a problem for SWH?
SWH uses system-wide features to harden the system and Microsoft Office applications. Unfortunately, Microsoft adopted the system-wide policy only to disable the VBA support in MS Office (including VBA macros), but there are only non-system-wide policies to disable Excel 4.0 macros. So, Excel 4.0 macros are not blocked by SWH. If the user will be fooled by the attacker to allow macros (blocked by default in MS Office) then the malicious macro will be executed.
Why this is not a problem for ConfigureDefender, FirewallHardening, or DocumentsAntiExploit tools?
Conclusion.
- ConfigureDefender settings will block the child process (cmd[.]exe) via ASR rule,
- FirewallHardening will prevent Mshta LOLBin from downloading the payload,
- DocumentsAntiExploit tool can harden MS Office applications via non-system-wide policies and Excel 4.0 macros will be blocked.
If one does not use Defender with ConfigureDefender settings or other tools, then it would be necessary to check if Excel is configured to block macros without notification, or be cautious with macros in Excel documents.
Windows Script Host is restricted in SWH by default (via SRP). Simply, in those examples, the infection chain was stopped before wscript.exe could be executed.
SWH can use also a non-SRP way (via the option * Admin Windows Script Host *) that completely disables Windows Script Host (does not allow whitelisting). This option is not enabled in default settings.
Last edited:
Yes, it will prevent running the Excel 4.0 macros. DocumentsAntiExploit tool applies several restrictions and can be used when Defender is not configured with advanced settings or when another AV is used. The user has to use DocumentsAntiExploit on each account, because configuring the restrictions for one particular user does not have an impact to other user accounts.
In MS Office, the below settings are applied (valid up to MS Office 2019):
- Disabled Macros in MS Office XP and MS Office 2003+ (Word, Excel, PowerPoint, Access, Publisher, Outlook).
- Disabled Access to Visual Basic Object Model (VBOM) in MS Office 2007+ (Access, Excel, PowerPoint, and Word).
- Disabled DDE in Word 2007+ (requires Windows Updates pushed in January 2018, see Microsoft Security Advisory ADV170021).
- Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007+, Excel 2007+, Outlook 2007+, One Note 2013+.
- Disabled ActiveX in MS Office 2007+.
- Disabled OLE in MS Office 2007+ (Word, Excel, PowerPoint).
- Disabled ‘Run Programs’ option for action buttons in PowerPoint 2007+.
- Disabled automatic download of linked images in PowerPoint 2007+.
- Disabled TrustBar notifications in MS Office 2007+.
- The dangerous features in Adobe Acrobat Reader DC on Windows 8.1/10 can be silently mitigated in AppContainer.
- The dangerous features in Adobe Acrobat Reader XI/DC can be blocked with the ‘Yellow Message Bar’ (the user can allow them).
- The restrictions apply to the current account and overwrite native settings in Adobe Acrobat Reader XI/DC.
- The user can apply different restrictions on different accounts.
Post updated.
SWH vs. new sophisticated campaign delivery of AsyncRAT trojan
malwaretips.com
blog.morphisec.com
Infection chain (delivery stage in blue):
email with HTML attachment ---> ISO created ---> BAT or VBS script ---> PowerShell ---> fileless payloads
Depending on SWH settings, the infection chain can be stopped at the delivery stage by blocking the ISO file (non-default setting). The infection chain can be blocked by blocking BAT or VBS scripts (blocked by default). So, despite the advanced tactics, the attack is fully neutralized. After running PowerShell, the malware would also try to use UAC bypass, add exclusions to Defender, and disable action center notifications.
Edit.
Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP.
But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools.
SWH vs. new sophisticated campaign delivery of AsyncRAT trojan
Hackers Using New Evasive Technique to Deliver AsyncRAT Malware
A new, sophisticated phishing attack has been observed delivering the AsyncRAT trojan as part of a malware campaign that's believed to have commenced in September 2021. "Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access...
malwaretips.com
New Threat Campaign: AsyncRAT Introduces a New Delivery Technique
Morphisec Labs identified a new threat campaign. Through a simple phishing tactic with an HTML attachment, threat attackers are delivering AsyncRAT.
Infection chain (delivery stage in blue):
email with HTML attachment ---> ISO created ---> BAT or VBS script ---> PowerShell ---> fileless payloads
Edit.
Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP.
But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools.
Last edited:
Would Configure Defender on Max setting also have stopped the attack?
It is possible that this particular attack could finish the STAGE 2 of infection (but would be stopped by Defender at STAGE 3):
But the decisive infection starts at STAGE 3 via the script Net.vbs which is obfuscated. This could be blocked by the ASR rule.
STAGE 3:
The full infection chain is very complicated to avoid detection. It is possible that some parts of the attack could be mitigated by the ASR rule "Use advanced protection against ransomware". Furthermore, the complicated infection chain could be detected by the very aggressive cloud protection level used in MAX settings.
I am not sure how this malware neutralization would be counted on Malware Hub. The system was compromised because the malware could connect to a malicious URL, download STAGE 1 payload, get persistence, and execute a few processes after reboot. But, it could not do anything truly malicious when ASR rules were enabled. The final payload (AsyncRAT) would not be injected, UAC would not be bypassed and Defender's settings would not be tampered, too.
Last edited:
Configure Defender set at MAX does seem to offer very strong protection -
Unfortunately, this nice "demonstration test" is inconclusive. The testing methodology is not designed to show the differences in the protection between AVs. Furthermore, only EXE files were tested.
Anyway, Defender with advanced settings is well tested by MRG Effitas and AV-Comparatives. These tests show that the protection is comparable to the top AVs (business versions). This was also confirmed in many tests on Malware Hub (Defender on MAX settings failed on a few malicious scripts).
Edit.
Some business AVs (like Kaspersky) can be highly tweaked to get even stronger protection, compared to Defender MAX settings.
Last edited:
THREAT INSIGHTS REPORT Q4 - 2021 (HP WOLF SECURITY)
It is an interesting lecture to see how modern attacks can impact the SWH settings.
In most cases, such attacks can be also neutralized by ConfigureDefender HIGH settings + WMI ASR rule, when Microsoft Defender is the main Antivirus.
* Surge in attackers using Excel add-ins (.XLL) to infect systems.
* Aggah targets South Korean organizations with malicious PowerPoint add-ins (.PPA)
* TA505’s links to MirrorBlast
* QakBot gives attackers access to infected systems to deliver ransomware
Ongoing courier spam delivers Ursnif malware to Italian-speaking organizations
The return of Emotet and its reversal of roles
* Fake Discord website serves RedLine malware posing as installer
Conclusion
The presented attack vectors via MS Office can be dangerous for casual users.
Generally, it is better to avoid using MS Office (desktop versions) for viewing documents.
The best compatibility with MS Office formats can have Word mobile, Excel mobile, and PowerPoint mobile (free versions). Also "PDF Reader by Xodo" is highly compatible and secure - it converts on-the-fly office documents into PDF files. The mobile office applications and Xodo application run in AppContainer. Furthermore, all these applications are from Microsoft Store, so the strong Exploit Protection mitigation can be used (Code Integrity Guard).
Anyway, such attacks are not especially dangerous for cautious users because MS Office applications block by default macros and Add-ins with clear notification that enabling these features is not safe.
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
It is an interesting lecture to see how modern attacks can impact the SWH settings.
In most cases, such attacks can be also neutralized by ConfigureDefender HIGH settings + WMI ASR rule, when Microsoft Defender is the main Antivirus.
* Surge in attackers using Excel add-ins (.XLL) to infect systems.
- Some attacks via XLL add-ins could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH.
* Aggah targets South Korean organizations with malicious PowerPoint add-ins (.PPA)
- This attack uses VBA macros, so it would be prevented by SWH defaults.
* TA505’s links to MirrorBlast
- These attacks were performed via Windows Script Host, HTML pages containing malicious Javascript, or MS Office documents with malicious macros.
- Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH.
* QakBot gives attackers access to infected systems to deliver ransomware
Ongoing courier spam delivers Ursnif malware to Italian-speaking organizations
The return of Emotet and its reversal of roles
- Some of these attacks could bypass SWH versions prior to 1.1.1.1. Now, such attacks are blocked by SRP settings in SWH or the DocumentsAntiExploit tool included in SWH.
* Fake Discord website serves RedLine malware posing as installer
- The initial infection vector used Windows Script Host, so it would be prevented by SWH defaults
Conclusion
The presented attack vectors via MS Office can be dangerous for casual users.
Generally, it is better to avoid using MS Office (desktop versions) for viewing documents.
The best compatibility with MS Office formats can have Word mobile, Excel mobile, and PowerPoint mobile (free versions). Also "PDF Reader by Xodo" is highly compatible and secure - it converts on-the-fly office documents into PDF files. The mobile office applications and Xodo application run in AppContainer. Furthermore, all these applications are from Microsoft Store, so the strong Exploit Protection mitigation can be used (Code Integrity Guard).
Anyway, such attacks are not especially dangerous for cautious users because MS Office applications block by default macros and Add-ins with clear notification that enabling these features is not safe.
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
Last edited:
This was the first thing I noticed. His tests are clickbait, like so many others: pretty useless.
Yes. Any similar test is like an advertisement. Even if the conclusion is true, it does not result from a reliable basis.
In the case of this particular test, the author had a problem with believing in his own advertisement.
SWH ver. 1.0.1.1 (beta 3)
Installer:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_1011_Beta3.exe
Updated manual:
https://github.com/AndyFul/Hard_Con... Windows Hardening/SWH_1011_Beta - Manual.pdf
Installer:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_1011_Beta3.exe
Updated manual:
https://github.com/AndyFul/Hard_Con... Windows Hardening/SWH_1011_Beta - Manual.pdf
| Added the option <AppInstaller> to restrict the installation of UWP apps via the web browser or downloaded packages: .msix, .appx, .msibundle, .appxbundle |
SWH vs. EXE --> Scripts
Normally, SWH depends on SmartScreen and AV to fight EXE files. But, malc0ders can use EXE files also as script droppers to avoid AV detection. Here are some in-the-wild examples used by the Russia-linked Shuckworm group (aka Gamaredon, Armageddon) in cyber-espionage attacks against targets in Ukraine.
https://symantec-enterprise-blogs.s...ligence/shuckworm-gamaredon-espionage-ukraine
The EXE malware used in attacks would drop/execute the following files that could download the secondary payloads:
EXE ---> Scripts (primary paylods) ----> secondary payload execution (EXE payloads and scripts)
The above infection chain is used to fool Administrators and AVs. All such attacks would be stopped by SWH in default settings (SRP blocks) at the delivery stage.
Another infection vector was performed via weaponized Word documents. The article does not inform about details, but it was probably a document with VBA macro (SWH would block it by default).
Of course, the attackers could use something else (like a legacy Excel document with Excel 4.0 macro). This could partially succeed with SWH prior to ver. 1.1.1.1. SWH ver. 2.0.0.0 can block such attacks in Recommended Settings (including the DocumentsAntiExploit tool).
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
Normally, SWH depends on SmartScreen and AV to fight EXE files. But, malc0ders can use EXE files also as script droppers to avoid AV detection. Here are some in-the-wild examples used by the Russia-linked Shuckworm group (aka Gamaredon, Armageddon) in cyber-espionage attacks against targets in Ukraine.
https://symantec-enterprise-blogs.s...ligence/shuckworm-gamaredon-espionage-ukraine
The EXE malware used in attacks would drop/execute the following files that could download the secondary payloads:
- VBScript scripts with several (spoofed) extensions like .ppt, .dat, .rar, .nls, etc.
- .cmd scripts
EXE ---> Scripts (primary paylods) ----> secondary payload execution (EXE payloads and scripts)
The above infection chain is used to fool Administrators and AVs. All such attacks would be stopped by SWH in default settings (SRP blocks) at the delivery stage.
Another infection vector was performed via weaponized Word documents. The article does not inform about details, but it was probably a document with VBA macro (SWH would block it by default).
Of course, the attackers could use something else (like a legacy Excel document with Excel 4.0 macro). This could partially succeed with SWH prior to ver. 1.1.1.1. SWH ver. 2.0.0.0 can block such attacks in Recommended Settings (including the DocumentsAntiExploit tool).
Post updated to reflect the changes in SWH ver. 1.1.1.1 and later.
Last edited:
SWH vs. MuddyWater campaign in Turkey
blog.talosintelligence.com
malwaretips.com
Two variants of the infection chain (delivery stage in blue):
PDF document with URL ---> downloaded maldoc (VBA macro) ---> intermediate scripts ---> final payload execution
or
PDF document with URL ---> downloaded EXE (script dropper) ---> intermediate scripts ---> final payload execution
The user has to manually open the maldoc (malicious document) or EXE dropper.
SWH on default settings will stop the infection chain on the delivery stage by blocking VBA or intermediate scripts (STAGE 2 or 3).
The attackers use Excel spreadsheet files, but did not adopt Excel 4.0 macros in the attack.
Post edited.
Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. * Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran's Ministry of Intelligence and Security (MOIS) by the U.S. Cyber...
blog.talosintelligence.com
MuddyWater hacking group targets Turkey in new campaign
The Iranian-backed MuddyWater hacking group is conducting a new malicious campaign targeting private Turkish organizations and governmental institutions. A new report by researchers at Cisco Talos links MuddyWater to recent attacks targeting Turkish private organizations and governmental...
malwaretips.com
Two variants of the infection chain (delivery stage in blue):
PDF document with URL ---> downloaded maldoc (VBA macro) ---> intermediate scripts ---> final payload execution
or
PDF document with URL ---> downloaded EXE (script dropper) ---> intermediate scripts ---> final payload execution
The user has to manually open the maldoc (malicious document) or EXE dropper.
SWH on default settings will stop the infection chain on the delivery stage by blocking VBA or intermediate scripts (STAGE 2 or 3).
The attackers use Excel spreadsheet files, but did not adopt Excel 4.0 macros in the attack.
Post edited.
Last edited:
Is it possible that Forza Horizon 5 steam version crashing due to using this software?
You may also like...
-
Defender Hardening Console (part of Hawk Eye Analysis Platform)- Started by Trident
- Replies: 62
-
Windows 11 Patch Tuesday January 2026 (KB5074109, KB5073455)- Started by silversurfer
- Replies: 18
-
-
