New Update Simple Windows Hardening

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Yes, it will prevent running the Excel 4.0 macros. DocumentsAntiExploit tool applies several restrictions and can be used when Defender is not configured with advanced settings or when another AV is used. The user has to use DocumentsAntiExploit on each account, because configuring the restrictions for one particular user does not have an impact to other user accounts.

In MS Office, the below settings are applied (valid up to MS Office 2019):
  • Disabled Macros in MS Office XP and MS Office 2003+ (Word, Excel, PowerPoint, Access, Publisher, Outlook).
  • Disabled Access to Visual Basic Object Model (VBOM) in MS Office 2007+ (Access, Excel, PowerPoint, and Word).
  • Disabled DDE in Word 2007+ (requires Windows Updates pushed in January 2018, see Microsoft Security Advisory ADV170021).
  • Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007+, Excel 2007+, Outlook 2007+, One Note 2013+.
  • Disabled ActiveX in MS Office 2007+.
  • Disabled OLE in MS Office 2007+ (Word, Excel, PowerPoint).
  • Disabled ‘Run Programs’ option for action buttons in PowerPoint 2007+.
  • Disabled automatic download of linked images in PowerPoint 2007+.
  • Disabled TrustBar notifications in MS Office 2007+.
In Adobe Acrobat Reader XI/DC, the below settings are applied :
  • The dangerous features in Adobe Acrobat Reader DC on Windows 8.1/10 can be silently mitigated in AppContainer.
  • The dangerous features in Adobe Acrobat Reader XI/DC can be blocked with the ‘Yellow Message Bar’ (the user can allow them).
  • The restrictions apply to the current account and overwrite native settings in Adobe Acrobat Reader XI/DC.
  • The user can apply different restrictions on different accounts.
@Andy Ful What is the latest version of the Documents Anti-Exploit tool?
 

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
Might be due to the fact that it's a malware analysis platform and that it also includes malicious samples that can be downloaded. The site itself is safe. :)
Yep the main url is fine... that was the link to his sample. ;)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Hermetic Wiper

On 23rd Feb 2022, there were reports of a new sophisticated wiper malware hitting several organizations in the Ukraine with an objective of destroying data and causing business disruption. Threatlabz team analyzed the malware payload involved and uncovered several new tactics used in these attacks.
Hermetic Wiper is a sophisticated malware family that is designed to destroy data and render a system inoperable
The wiper is multi-threaded to maximize speed and utilizes a kernel driver for low-level disk access
These driver files appear to be part an outdated version of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development
Attack chain #1

1645813670097.png


SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.


Attack chain #2


1645813911444.png


SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.

Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

your pictorial flowcharts illustrating the malware attack chain are among the best I've seen (y) In fact, so many technical malware analysis articles I've read often lack these illustrations.

I simply chose the right article with clear flowcharts. The link to the article can be found in my previous post.:)
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
SWH vs. Hermetic Wiper

Attack chain #1

View attachment 264620

SWH will stop this infection chain on default settings. The Word Template will be prevented to drop/execute the VBScript payload. The template uses VBA macros to perform malicious actions.


Attack chain #2


View attachment 264621

SWH will stop this infection chain on default settings. After unpacking the RAR archive the execution of the LNK file will be blocked.

Remark.
I noted the attack vectors that could be reused in the attacks against the home users.
Some variants of this malware were also delivered via malicious SMB activity against a Microsoft Exchange Server and probably via other server vulnerabilities. Those attacks were related to the Enterprise environment and lateral movement.

Just an idea, do you have always ready your VM? you may would like to demonstrate (once only) how SWH prevents attacks by certain malware variants. Of course, if it's possible to see on log entries which processes are blocked due to SRP.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Just an idea, do you have always ready your VM? you may would like to demonstrate (once only) how SWH prevents attacks by certain malware variants. Of course, if it's possible to see on log entries which processes are blocked due to SRP.

Making videos in the VM is very frustrating on my machines (too low RAM). The only videos I ever made, were done in the real system. Of course, adding a video would be welcome.
If one would like to test the samples against SWH and make some videos, then I can help with showing what was blocked and which restriction was involved. Of course, most of the infections via initial EXE/MSI samples cannot be stopped by SWH, because these files are intentionally allowed.
In my posts, I chose the clear infection chains from the source articles and also included some examples of malware that could not be stopped by SWH. The main purpose of all examples is to help people to understand how SWH works, which attack vectors can be blocked, and which ones cannot be blocked.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Asylum Ambuscade spear-phishing campaign

Infection chain:

1646300531401.png

Nothing especially new for SWH. The VB macro (VBA macro) cannot run because SWH in Recommended Settings disables all VBA features in MS Office (in version 2.0.0.0 this is done via the DocumentsAntiExploit tool).

If the user would not use DocumentsAntiExploit hardening and would allow running the macro, then the malware could infect the computer.

How H_C_Hardening tools could prevent this attack?
  • ConfigureDefender HIGH - MSI installation will be blocked by the ASR rule "Block Office applications from creating child processes".
  • FirewallHardening - Msiexec LOLBin will be prevented to download the MSI payload.
  • DocumentsAntiExploit tool - the initial macro will be blocked without notification.
Post Edited.
I tested the macro used in the attack. It uses the COM object WindowsInstaller.Installer which triggers Msiexec LOLBin. So, the Msiexec LOLBin will try to download the MSI payload (and not the Excel application). Msiexec LOLBin connections are blocked by FirewallHardening (Recommended H_C preset).
Here is the event from the FirewallHardening Log after running the macro:
Event[1]:
Local Time: 2022/03/03 11:55:04
ProcessID: 7784
Application: C:\windows\system32\msiexec.exe
Direction: Outbound
SourceAddress: <edited>
SourcePort: <edited>
DestAddress: 23.222.222.111 <--------- blocked (fake) remote adress (payload location)
DestPort: 80
Protocol: 6
FilterRTID: 78503
LayerName: %%14611
LayerRTID: 48
RemoteUserID: <edited>
RemoteMachineID: <edited>

Post updated to reflect the changes in SWH ver. 2.0.0.0 and later.

Edit.
SWH does not block shortcuts in the User Startup folder (H_C can do it).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.

This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.:)
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Updated the OP in the SWH thread. Added links to all attack examples. Added also the shortest description of SWH:
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.

This description is very true. When the attackers try to avoid AV detection, they start using sophisticated scripting methods and long infection chains. But, this is in clear advantage to SWH.:)
On the contrary, when the attacker uses a simple attack via the URL with EXE or MSI file, the SWH does nothing and relies on AV protection + SmartScreen.
Sorry Andy, but this description is not true at all. SRP has absolutely zero context... no parent, no command line, nothing.

All SRP does is blindly block by path or globally by extension.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Sorry Andy, but this description is not true at all. SRP has absolutely zero context... no parent, no command line, nothing.

Microsoft does not agree with you:
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This article applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. SRP is used on servers to apply it on client machines with Windows 7 and 10.

You are right, that classic SRP ignores the context that could help to differentiate the unknown from malicious. That is how also work: all other SRP, default-deny, reputation file lookup, HIPS, and similar solutions. The world is much greater than the parent/child and command-line features.

All SRP does is blindly block by path or globally by extension.

You seem to see upside down the SRP used in SWH. These SRP settings do not block by path and do not block globally the extensions.

Post edited/shortened.

Edit.
The SRP is an old but very useful security idea. A few years ago it seemed that Microsoft would like to get rid of classic SRP. But, classic SRP is still used in many organzations, because it is simpler to deploy and some of its features were not implemented in Applocker and MDAC. That is why it is still present in Windows 11 and Windows Server 2022.
SWH uses special SRP settings adjusted for fileless methods (especially as an initial vector).
In the examples included in this thread, I used some targeted attacks seen in the wild, if the adopted methods could be reused in the widespread attacks (dangerous also for home users).
 
Last edited:
  • Like
Reactions: Mercenary

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I would like to add some more comments to the problem of "context".
In their simplest form, both the SRP approach and Parent/Child + CmdLines solutions are kinda dumb when dealing with the "context". So, the Administrators must add some "context" by using their knowledge to create the rules or the cloud backend has to be used to see the different contexts of benign and malicious actions. But, why does Microsoft still like the SRP approach? The answer is pretty much simple. Microsoft uses Local AI, ASR rules, AMSI, and cloud backend to enhance Parent/Child + CmdLines solutions. The SRP + "system hardening via Policies" is an additional & important protection layer, based on a different approach.

In SWH (and H_C) I followed a similar security approach (AV + SRP + basic hardening) and adjusted it to the home environment with a home Administrator.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:

In this paper, we propose utilizing a static source of contextual information — the path of the PE file — as an auxiliary input to the classifier. While file paths are not malicious or benign in and of themselves, they do provide valuable context for a malicious/benign determination.
https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/

In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:

Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.:)
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.
 
Last edited:

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,479
Here is an example of a possible enhancement of the SRP approach (includes a nice video) via deep learning:


https://ai.sophos.com/presentations...-learning-architecture-for-malware-detection/

In standard SRP solutions, the paths of executables are blocked or whitelisted. This can be overridden by hash or certificate rules. One can enhance this simplistic approach in many ways. Some of these possibilities are included in the above presentation. Another way is used in the H_C by creating smart rules integrated with Forced Smartscreen. This approach is kinda similar to the approach used in Microsoft Defender Application Control with Microsoft ISG (file reputation lookup). In Windows 11, Microsoft announced adding ISG reputation feature to Defender's Security Center:

Of course, this new Defender setting will be also beneficial to SWH if one will be able to live with many false positives.
SWH does not protect against PE malware (EXE, DLL, etc.) and ISG just does it.:)
For now, similar protection can be applied by SWH + Defender with ConfigureDefender MAX settings.
Any plans when the stable version of SWH is coming? :unsure:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top