How did you understand the info in the help file for <MS Office> option?
Edit.
This help requires a correction - these restrictions works also on MS Office 2019.
Last edited:
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
Edit.
This help requires a correction - these restrictions works also on MS Office 2019.
SWH vs. SocGholish
www.cybereason.com
According to the Red Canary’s 2022 Threat Detection Report, this threat is among the most prevalent threats:
The cases of SWH vs. Qbot (Quakbot) and Gootkit (Gootloader) can be found here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-971785
The difference between GootLoader and Gootkit (not important in this post):
https://redcanary.com/blog/gootloader/
I will try to post about other prevalent threats like TA551 in my next post.
SocGholish and Gootkit used a similar infection chain:
https://redcanary.com/threat-detection-report/threats/socgholish/
https://redcanary.com/threat-detection-report/threats/gootkit/
SWH can block this threat by default via SRP restrictions for scripts.
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...
www.cybereason.com
According to the Red Canary’s 2022 Threat Detection Report, this threat is among the most prevalent threats:
The cases of SWH vs. Qbot (Quakbot) and Gootkit (Gootloader) can be found here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-971785
The difference between GootLoader and Gootkit (not important in this post):
https://redcanary.com/blog/gootloader/
I will try to post about other prevalent threats like TA551 in my next post.
SocGholish and Gootkit used a similar infection chain:
https://redcanary.com/threat-detection-report/threats/socgholish/
https://redcanary.com/threat-detection-report/threats/gootkit/
SWH can block this threat by default via SRP restrictions for scripts.
Last edited:
Thanks again @Andy Ful for another one of your "Top Shelf" SWH malware prevention demonstration posts 
SWH vs. TA551 phishing campaigns
redcanary.com
The report shows that password-protected ZIP attachments with Word documents were used in the attacks. This pretty common type of attack is blocked by default in SWH via disabling VBA in MS Office.
Such attacks can be easily prevented even without SWH, by not allowing macros in MS Office documents. If macros are enabled then the defense is more complicated. But in most cases, the attacks can be mitigated by:
Edit.
Another example of the recent TA551 attack via ISO file (LNK + DLL) was analyzed here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951
TA551 - Red Canary Threat Detection Report
TA551, also known as Shathak, is a threat group that uses large-scale phishing campaigns to deliver additional malware payloads.
redcanary.com
The report shows that password-protected ZIP attachments with Word documents were used in the attacks. This pretty common type of attack is blocked by default in SWH via disabling VBA in MS Office.
Such attacks can be easily prevented even without SWH, by not allowing macros in MS Office documents. If macros are enabled then the defense is more complicated. But in most cases, the attacks can be mitigated by:
- Restricting network connections of MS Word and popular LOLBins (certutil.exe, mshta.exe, etc.). One can use the FirewallHardening tool for that (or apply manually the rules in the firewall).
But, this attack can be modified to drop the payload embedded/encoded in the document - in such a case, restricting network connection will not help. - Applying parent-child protection to prevent spawning by MS Word some LOLBins (regsvr32.exe, rundll32.exe, etc.) that can execute DLLs. This can be done via the HIPS module in AV or ASR rules (like in Microsoft Defender / ConfigureDefender HIGH settings). But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).
Edit.
Another example of the recent TA551 attack via ISO file (LNK + DLL) was analyzed here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951
Last edited:
Some of the threats noted in Red Canary’s 2022 Threat Detection Report are penetration tools/frameworks used in the already compromised environment. They are used in highly targeted attacks (mostly in lateral movement), so I skipped them in the SWH thread.
The rest of the most prevalent threats: TA551, Qbot (Quakbot), SocGholish, Yellow Cockatoo (SolarMarker), and Gootkit (Gootloader) could be reused in the attacks against home users.The Yellow Cockatoo threat uses EXE/MSI files as an initial infection vector so it is beyond the scope of SWH. The Yellow Cockatoo (SolarMarker) uses EXE/MSI files. The older versions were not fileless, so they were beyond the scope of SWH. The recent versions described in the RedCanary Report use also EXE/MSI files, but the malicious actions are performed by the PowerShell script, so the malware is blocked by SWH (default settings).
Other threats were already analyzed and all of them could be blocked by older versions of SWH (default settings) + Defender / ConfigureDefender HIGH settings. The new versions of SWH (ver. 1.1.1.1 and later) can block these threats by the recommended settings in SWH (even without ConfigureDefender).
Post edited.
The rest of the most prevalent threats: TA551, Qbot (Quakbot), SocGholish, Yellow Cockatoo (SolarMarker), and Gootkit (Gootloader) could be reused in the attacks against home users.
Other threats were already analyzed and all of them could be blocked by older versions of SWH (default settings) + Defender / ConfigureDefender HIGH settings. The new versions of SWH (ver. 1.1.1.1 and later) can block these threats by the recommended settings in SWH (even without ConfigureDefender).
Post edited.
Last edited:
SWH vs. TA551 phishing campaigns
TA551 - Red Canary Threat Detection Report
TA551, also known as Shathak, is a threat group that uses large-scale phishing campaigns to deliver additional malware payloads.
But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).
So I guess these protections, at least the first two, in OSA would would mitigate this avenue of attack as well?
SWH vs. Yellow Cockatoo (SolarMarker)
redcanary.com
unit42.paloaltonetworks.com
In one of my previous posts, I mentioned that EXE/MSI threats are beyond the scope of SWH - such threats are not fileless malware. But in the case of the recent Yellow Cockatoo attacks, the situation is more complex. It uses EXE/MSI file to execute a benign application (PDF Merge) and malicious Powershell script. SWH blocks PowerShell scripts by default so the attack can be blocked. A similar attack was analyzed in the SWH thread here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973934
On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.
Yellow Cockatoo - Red Canary Threat Detection Report
Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.
redcanary.com
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.
unit42.paloaltonetworks.com
In one of my previous posts, I mentioned that EXE/MSI threats are beyond the scope of SWH - such threats are not fileless malware. But in the case of the recent Yellow Cockatoo attacks, the situation is more complex. It uses EXE/MSI file to execute a benign application (PDF Merge) and malicious Powershell script. SWH blocks PowerShell scripts by default so the attack can be blocked. A similar attack was analyzed in the SWH thread here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973934
On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.
In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.
How to detect Yellow Cockatoo remote access trojan
Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple industries. Here’s how you can too.
redcanary.com
Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?
EDIT
I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.
Last edited:
In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.
How to detect Yellow Cockatoo remote access trojan
Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple industries. Here’s how you can too.
Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?
EDIT
I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.
This example is fileless, too. It will be blocked by SWH settings.
The malware that could not be fully blocked was the Jupyter infostealer (mentioned in the RedCanary article).
In the Jupyter example (precursor of Yellow Cockatoo), the first part of the attack installed the malware into the memory and could get the persistence. The PowerShell was used in the next stage after the machine had been already compromised. I am not sure how dangerous could the first part of the attack, but in the current versions of Yellow Cockatoo this part is skipped and the installation is fully done via PowerShell.
Last edited:
Okay, so I guess there are different versions, some more advanced than others, of Yellow Cockatoo. Thanks.
I would say, that there are different versions with the tendency to be more fileless. It is hard to say if the more fileless versions are also more advanced. Simply, the AVs are better and better at detecting non-fileless malware, so the malc0ders try to adapt.
Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.
https://malwaretips.com/threads/simple-windows-hardening.102265/post-989494Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.
Let me know if this help included in SWH is sufficient.
Gandalf_The_Grey
Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Click the green buttons (Adobe Acrobat Reader, MS Office) for more infoHey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.
Also post 493 and 496 of this thread give some info.
RunBySmartscreen vs. GuLoader
www.fortinet.com
malwaretips.com
GuLoader is delivered via EXE (NSIS) installer embedded in the ISO file, so it is a good example to show how RunBySmartscreen can help. This delivery method is pretty popular.
Infection chain:
Email with phishing URL ----> ISO file downloaded via URL ----> User opens ISO image ----> User opens the file which is EXE malware instead expected PDF document.
## Using RunBySmartscreen tool.
Even if the ISO file is downloaded via Edge web browser, the SmartScreen will ignore it.
After the ISO (optical disc image) file is downloaded the user opens it from the web browser and can see this:
At this moment (File Explorer opened) the RunBySmartscreen should be used. One has to use the mouse to right-click on the file to open the Explorer context menu and choose the "Run By SmartScreen" option (the user does not have to know what kind of file it is). This forces checking the EXE, MSI, COM, and SCR files by SmartScreen reputation - the safe executables are automatically executed. For other files, the info is displayed. The music files, photos, videos, etc. are automatically opened.
In the case of the malicious EXE file (like in this example) the home user will see the well known SmartScreen alert:
Without RunBySmartscreen, the file embedded in the ISO file will be opened without SmartScreen check.
See also another example of using RunBySmartscreen:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-980775
Spoofed Saudi Purchase Order Drops GuLoader: Part 1 | FortiGuard Labs
FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analys…
New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild
Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma. "Though Chaos ransomware builder has only been in the wild for a year, Yashma claims to be the sixth version (v6.0) of this malware," BlackBerry research and intelligence team said...
malwaretips.com
GuLoader is delivered via EXE (NSIS) installer embedded in the ISO file, so it is a good example to show how RunBySmartscreen can help. This delivery method is pretty popular.
Infection chain:
Email with phishing URL ----> ISO file downloaded via URL ----> User opens ISO image ----> User opens the file which is EXE malware instead expected PDF document.
## Using RunBySmartscreen tool.
Even if the ISO file is downloaded via Edge web browser, the SmartScreen will ignore it.
After the ISO (optical disc image) file is downloaded the user opens it from the web browser and can see this:
At this moment (File Explorer opened) the RunBySmartscreen should be used. One has to use the mouse to right-click on the file to open the Explorer context menu and choose the "Run By SmartScreen" option (the user does not have to know what kind of file it is). This forces checking the EXE, MSI, COM, and SCR files by SmartScreen reputation - the safe executables are automatically executed. For other files, the info is displayed. The music files, photos, videos, etc. are automatically opened.
In the case of the malicious EXE file (like in this example) the home user will see the well known SmartScreen alert:
Without RunBySmartscreen, the file embedded in the ISO file will be opened without SmartScreen check.
See also another example of using RunBySmartscreen:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-980775
Last edited:
RunBySmartscreen does not scan anything. In the case of EXE, COM, MSI, and SCR files it adds the MOTW to the file and lets it open by Windows. More about the importance of MOTW:
Mark-of-the-Web from a red team’s perspective
Mark-of-the-Web from a red team’s perspective Stan Hegt | March 30, 2020 Zone Identifier Alternate Data Stream information, commonly referred to as Mark-of-the-Web (abbreviated MOTW), can be a significant hurdle for red teamers and penetration testers, especially when attempting to gain an...
malwaretips.com
After adding the MOTW, Windows thinks that the file has been downloaded from the Internet and the file is checked by SmartScreen for Explorer (file reputation lookup in the Microsoft cloud). Like any top file reputation, it is much safer than any AV detection. Of course, the files are also scanned/detected as usual by the AV.
RunBySmartscreen would not be needed if Windows could add MOTW to the files embedded in archives, disk images, files stored on FAT32 USB drives, and Memory cards. Even if such files have been downloaded from the Internet, Windows cannot recognize this, and SmartScreen for Explorer is not triggered.
Last edited:
You may also like...
-
Defender Hardening Console (part of Hawk Eye Analysis Platform)- Started by Trident
- Replies: 62
-
Windows 11 Patch Tuesday January 2026 (KB5074109, KB5073455)- Started by silversurfer
- Replies: 18
-
-
