New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SWH vs. Quakbot

The emails can be jarring, but the technique used by Qakbot (aka Qbot) seems to be especially convincing: The email-borne malware has a tendency to spread itself around by inserting malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims. These interjections in the form of a reply-all message include a short sentence, and a link to download a zip file containing a malicious office document, one that brings down the malware when someone opens it.

This attack vector is blocked with SWH ver. 1.1.1.1.
SWH ver. 2.0.0.0 can block such attacks in Recommended Settings (including the DocumentsAntiExploit tool).

This threat could bypass SWH versions prior to 1.1.1.1 on default settings. It used the Excel XLSB binary workbook which could abuse the DDE feature and Regsvr32 LOLBin. It was not related to macros (VBA or Excel 4.0).

The infection chain (delivery stage in blue):
Email interjection with URL ---> download XLSB document packed in ZIP file --->
open XLSB document (DDE) ---> intermediate payload dropped and executed via Regsvr32 LOLBin ---> ..... ----> main payload injected to Explorer (C&C server connections)

How H_C_Hardening tools could prevent this attack?
  • ConfigureDefender HIGH - Excel will be blocked from using the Regsrv32 LOLBin by the ASR rule "Block Office applications from creating child processes".
  • FirewallHardening - cannot block this particular infection (payload is not downloaded from the Internet), but can block (LOLBins blocked) the abused Explorer from connecting the C&C server.
  • DocumentsAntiExploit tool - blocks DDE feature n Excel and Regsrv32 LOLBin will not run.

Post updated to include the info related to SWH ver. 1.1.1.1 and later.
 
Last edited:

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
when are you going to have some time to fix the appinstaller bug? Thank you very much for your immense work.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
when are you going to have some time to fix the appinstaller bug? Thank you very much for your immense work.
Which bug?:unsure:

Do you mean your old post?
https://malwaretips.com/threads/simple-windows-hardening.102265/post-974191

If so, then it was already explained and has nothing to do with AppInstaller.
https://malwaretips.com/threads/simple-windows-hardening.102265/post-974141

Your problem is related to web applications that run into a web browser. Their application window is a web browser process although it looks slightly different (most options are removed from the window). If you use a popular web browser then the web applications run in the sandbox. They do not use AppInstaller.

AppInstaller installs Universal Windows Applications that can run without a web browser.
Two different things.(y)
 
Last edited:
  • Like
  • Thanks
Reactions: Nevi and eonline

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
548
From the article:

The malicious .xlsb file triggers regsvr32 to load DLL payloads it drops in a five-character folder name on the root of the C: drive

I guess another endorsement for OSArmor:

OSA-1.png

...but of course I realize with H_C on Default or Max settings, OSA is not needed :)

EDIT

I really should have stated "another endorsement for OSArmor as a complimentary tool to SWH" No intent to steer OT.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

Regsvr32 is used to register and unregister OLE controls. It is too often used for benign processes (also for DLLs in UserSpace). That is why it is in the experimental section. One can adopt an alternative method by using Windows 10 Exploit protection mitigation for regsvr.exe (Code Integrity Guard). This will block all OLE controls not signed by Microsoft (or Microsoft Store).
In most cases, the abused Regsvr32 is used to run the OLE controls from remote locations (including the Internet) and this method is very rarely used by benign processes on home computers. So, it is safe to block the outbound connections via the Firewall rule. This is also the idea adopted in FirewallHardening for many other LOLBins.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...but of course I realize with H_C on Default or Max settings, OSA is not needed :)

LOLBins (including Regsvr32) are mostly used by shortcuts, documents, and scripts. So, blocking Regsvr32 is not necessary also in SWH. When using MS Office one has to remember to properly configure SWH or use Defender with ASR rules.
If this configuration is too restrictive, then one has to seek additional protection. There are many possibilities. One of them can be OSA.
 
Last edited:

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
548
Regsvr32 is used to register and unregister OLE controls. It is too often used for benign processes (also for DLLs in UserSpace). That is why it is in the experimental section.

Your post gave me reason to check OSA's Exclusions for anything Regsvr32 related and there is nothing so far, so I guess my simple home usage hasn't done anything yet to require the need for Regsvr32 to load DLL's.

Otherwise you keep providing more compelling evidence that I don't really need OSA :D
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Your post gave me reason to check OSA's Exclusions for anything Regsvr32 related and there is nothing so far, so I guess my simple home usage hasn't done anything yet to require the need for Regsvr32 to load DLL's.

Otherwise you keep providing more compelling evidence that I don't really need OSA :D

You probably do not need OSA and SWH.(y):)
I do not need many things too. I usually keep them because I like them and I do not have a heart to throw them out.:)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
under typical operating & application usage, regsvr is very rarely needed, almost exclusively when installing programs, it can be blocked without any breakages
Yes. Sometimes it is used after Windows Updates for something. I block it via H_C (and over 170 LOLBins including Windows Script Host, PowerShell, and CMD) for a few years on my wife's computer without any issue. But my wife uses only applications from Microsoft Store and two desktop applications. :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Anyway, sometimes it refuses to work on some computers for some reason. It is like eating mushrooms. Most people can eat them all their life without problems, but some die. Furthermore, blocking LOLBins on a home computer (Windows 10) is really not necessary when using properly configured SWH. Of course, there is nothing wrong with blocking some of them if one likes/needs such restrictions. The easiest way is simply using H_C.

There is a difference between SWH (H_C) and common configurations of Applocker or MDAC. So the necessity of blocking LOLBins in Applocker and MDAC does not pass to SWH (H_C). For example, in MDAC the scripts are not blocked (like in SWH or H_C) but only restricted. Furthermore, shortcuts are allowed, and this opens a wide road for using LOLBins. When using SWH or H_C, the scripts, shortcuts, and many files with executable content are blocked. The setup is much more restricted. So, the attacker can hardly use LOLBins, except when exploiting something.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
@Andy Ful I have two questions about the DocumentsAntiExploit tool:
1) Does the Adobe Reader setting work with Adobe Reader DC 64bit?
I got no yellow message bar and had to configure it in Adobe Reader myself.

2) What is the best setting for the latest MS office 365 64-bit ON1 or ON2?
The real difference between those two settings is not clear to me.

I'm currently using Windows 11 with Ziggo Safe Online by F-Secure 18.2 (Default Settings), Simple Windows Hardening 1.0.1.1 beta 3 (Basic Recommended Settings) and DocumentsAntiExploit 2.0.0.0 (Adobe Reader ON, MS Office ON2).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful I have two questions about the DocumentsAntiExploit tool:
1) Does the Adobe Reader setting work with Adobe Reader DC 64bit?
I got no yellow message bar and had to configure it in Adobe Reader myself.

Yes, it worked. I will test the new version of Adobe Reader DC this week.

2) What is the best setting for the latest MS office 365 64-bit ON1 or ON2?
The real difference between those two settings is not clear to me.

The ON2 and ON2 differ only with the access level.
When ON1 is set then the restrictions can be changed with standard rights from the MS Office application. If you do it, then such custom settings will be displayed in DocumentsAntiExploit tool as "Partial".
When ON2 settings are applied, then you cannot change them from the MS Office application and high privileges are required to change these settings (can be done via Windows Registry).
The ON2 settings are safer because the malware with standard rights cannot change them. But, ON1 settings are also rather safe - they will prevent most weaponized documents from running the active content that could change these settings.
I'm currently using Windows 11 with Ziggo Safe Online by F-Secure 18.2 (Default Settings), Simple Windows Hardening 1.0.1.1 beta 3 (Basic Recommended Settings) and DocumentsAntiExploit 2.0.0.0 (Adobe Reader ON, MS Office ON2).
That is OK.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Thanks, the Adobe Reader thing could also be something just on my system.

I was recently "forced" for work related reasons to use Adobe Reader and noticed no yellow message bar and configured it from Adobe Reader's settings.

1647872748210.png

Great to know that ON2 is the safest option, and I will keep it like that (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
... Adobe Reader thing could also be something just on my system.

No. I tested the new version and it has got some changes that will require updating the DocumentsAntiExploit tool.
Thank you, for reporting the issue.(y)

It seems that the default settings in Adobe Reader DC are now pretty much safe because the AppContainer is enabled by default.

The main problem is the way of applying the "Protected View" (disabled on default settings). Adobe insists on showing the option on the yellow bar that allows the user to easily enable all features for the document. There is no way to get rid of it (on the contrary to MS Office macros).

1647946403644.png


So, even when JavaScript and some other vulnerable features are disabled for all documents, they will be enabled for this particular document. Thank god, that the document is still opened in the AppContainer.
The "Protected View" is very strong - so strong that it even blocks printing. It is not a protection for casual users, who will probably use the option "Enable All Features" on the yellow bar to bypass most restrictions.
On the other side, it can be good protection for more advanced/cautious users.:unsure:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:
  1. Disable JavaScript.
  2. Disable opening of non-PDF file attachments with external applications.
  3. Block PDF files to all web sites.
  4. Enable Defender's ASR rule for Adobe.
Even if the user will enable JavaScript for the document, it will run in AppContainer. Acrobat Reader cannot use opening non-PDF attachments in external applications or URLs embedded in the documents, and cannot run other applications/LOLBins.

When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.

The Protected View, especially without the Defender ASR rule, is not good for casual users.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:
  1. Disable JavaScript.
  2. Disable opening of non-PDF file attachments with external applications.
  3. Block PDF files to all web sites.
  4. Enable Defender's ASR rule for Adobe.
Even if the user will enable JavaScript for the document, it will run in AppContainer. Acrobat Reader cannot use opening non-PDF attachments in external applications or URLs embedded in the documents, and cannot run other applications/LOLBins.

All of these restrictions (except JavaScript running in AppContainer) are bypassed when one uses Protected View and pressed "Allow All Features". The Defender's ASR rule prevents opening non-PDF attachments and running external processes.
What does that mean for Simple Windows Hardening and DocumentsAntiExploit?
Do not use the Abobe Reader settings?
Or are we able to change to those settings in a next version?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top