New Update Simple Windows Hardening

[Andy Ful]

Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?

How did you understand the info in the help file for <MS Office> option?

Edit.
This help requires a correction - these restrictions works also on MS Office 2019. They probably work on MS Office 2021 too, but I did not test this version yet. Tested today, and all work well on MS Office 20121, too.

 

[Andy Ful]

SWH vs. SocGholish

THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems

This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...

www.cybereason.com

According to the Red Canary’s 2022 Threat Detection Report, this threat is among the most prevalent threats:

The cases of SWH vs. Qbot (Quakbot) and Gootkit (Gootloader) can be found here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-971785
The difference between GootLoader and Gootkit (not important in this post):
https://redcanary.com/blog/gootloader/

I will try to post about other prevalent threats like TA551 in my next post.

SocGholish and Gootkit used a similar infection chain:
https://redcanary.com/threat-detection-report/threats/socgholish/
https://redcanary.com/threat-detection-report/threats/gootkit/

SocGholish operators host a malicious website that implements a drive-by-download mechanism. Previous research shows that the SocGholish operators use a legitimate website and host another, malicious website in its context, for example, in an inline frame (iframe) object. The legitimate website displays content to which end-users may be lured, such as critical browser updates. The malicious website may implement, for example, JavaScript code, or conduct URL redirections to trigger the download of an archive file that stores a malicious JavaScript script.

SWH can block this threat by default via SRP restrictions for scripts.

 

[wat0114]

Thanks again @Andy Ful for another one of your "Top Shelf" SWH malware prevention demonstration posts

 

[Andy Ful]

SWH vs. TA551 phishing campaigns

TA551 - Red Canary Threat Detection Report

TA551, also known as Shathak, is a threat group that uses large-scale phishing campaigns to deliver additional malware payloads.

redcanary.com

The report shows that password-protected ZIP attachments with Word documents were used in the attacks. This pretty common type of attack is blocked by default in SWH via disabling VBA in MS Office.

Such attacks can be easily prevented even without SWH, by not allowing macros in MS Office documents. If macros are enabled then the defense is more complicated. But in most cases, the attacks can be mitigated by:

1. Restricting network connections of MS Word and popular LOLBins (certutil.exe, mshta.exe, etc.). One can use the FirewallHardening tool for that (or apply manually the rules in the firewall).
   But, this attack can be modified to drop the payload embedded/encoded in the document - in such a case, restricting network connection will not help.
2. Applying parent-child protection to prevent spawning by MS Word some LOLBins (regsvr32.exe, rundll32.exe, etc.) that can execute DLLs. This can be done via the HIPS module in AV or ASR rules (like in Microsoft Defender / ConfigureDefender HIGH settings). But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).

It is worth knowing that this type of attack does not use *.exe payloads. The final payload (Ursnif, Zloader, Valak, IceId, Qbot) was injected into the system process (svchost.exe, msiexec.exe, etc.). Such injections are not easy to detect by Avs.

Edit.
Another example of the recent TA551 attack via ISO file (LNK + DLL) was analyzed here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951

 

[Andy Ful]

Some of the threats noted in Red Canary’s 2022 Threat Detection Report are penetration tools/frameworks used in the already compromised environment. They are used in highly targeted attacks (mostly in lateral movement), so I skipped them in the SWH thread.

Mimikatz​

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords. As an open source project, Mimikatz continues to be actively developed, with several new features added in 2020.
https://redcanary.com/threat-detection-report/threats/mimikatz/

BloodHound​

BloodHound is an open source tool that provides visibility into Active Directory environments. It is a common precursor to follow-on activity, whether that’s further testing or ransomware. It is a common precursor to follow-on activity, whether that’s further testing or ransomware.
https://redcanary.com/threat-detection-report/threats/bloodhound/

Impacket​

Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries, thanks in large part to its versatility.
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools, including post-exploitation and vulnerability-scanning products, to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI).
https://redcanary.com/threat-detection-report/threats/impacket/

Cobalt Strike​

Cobalt Strike continues to be a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
https://redcanary.com/threat-detection-report/threats/cobalt-strike/

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.
https://www.cobaltstrike.com/

Metasploit​

Penetration testing software to help you act like the attacker​

Attackers are always developing new exploits and attack methods—Metasploit penetration testing software helps you use their own weapons against them. Utilizing an ever-growing database of exploits, you can safely simulate real-world attacks on your network to train your security team to spot and stop the real thing.
https://www.rapid7.com/products/metasploit/

The rest of the most prevalent threats: TA551, Qbot (Quakbot), SocGholish, Yellow Cockatoo (SolarMarker), and Gootkit (Gootloader) could be reused in the attacks against home users. The Yellow Cockatoo threat uses EXE/MSI files as an initial infection vector so it is beyond the scope of SWH. The Yellow Cockatoo (SolarMarker) uses EXE/MSI files. The older versions were not fileless, so they were beyond the scope of SWH. The recent versions described in the RedCanary Report use also EXE/MSI files, but the malicious actions are performed by the PowerShell script, so the malware is blocked by SWH (default settings).

Other threats were already analyzed and all of them could be blocked by older versions of SWH (default settings) + Defender / ConfigureDefender HIGH settings. The new versions of SWH (ver. 1.1.1.1 and later) can block these threats by the recommended settings in SWH (even without ConfigureDefender).

Post edited.

 

[wat0114]

SWH vs. TA551 phishing campaigns

TA551 - Red Canary Threat Detection Report

TA551, also known as Shathak, is a threat group that uses large-scale phishing campaigns to deliver additional malware payloads.

redcanary.com

But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).

So I guess these protections, at least the first two, in OSA would would mitigate this avenue of attack as well?

 

[Andy Ful]

So I guess these protections, at least the first two, in OSA would would mitigate this avenue of attack as well?

View attachment 266833

Yes. The last one.

 

[Andy Ful]

SWH vs. Yellow Cockatoo (SolarMarker)

Yellow Cockatoo - Red Canary Threat Detection Report

Yellow Cockatoo is an activity cluster involving a remote access trojan (RAT) that filelessly delivers various other malware modules.

redcanary.com

New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns

A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.

unit42.paloaltonetworks.com

In one of my previous posts, I mentioned that EXE/MSI threats are beyond the scope of SWH - such threats are not fileless malware. But in the case of the recent Yellow Cockatoo attacks, the situation is more complex. It uses EXE/MSI file to execute a benign application (PDF Merge) and malicious Powershell script. SWH blocks PowerShell scripts by default so the attack can be blocked. A similar attack was analyzed in the SWH thread here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973934

On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.

 

[wat0114]

On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.

In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.

How to detect Yellow Cockatoo remote access trojan

Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple industries. Here’s how you can too.

redcanary.com

Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?

EDIT

I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.

 

[Andy Ful]

In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.

How to detect Yellow Cockatoo remote access trojan

Red Canary Intel detected a cluster of malicious activity executing a .NET RAT across multiple industries. Here’s how you can too.

redcanary.com

Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?

EDIT

I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.

This example is fileless, too. It will be blocked by SWH settings.
The malware that could not be fully blocked was the Jupyter infostealer (mentioned in the RedCanary article).

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules. The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module

https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

In the Jupyter example (precursor of Yellow Cockatoo), the first part of the attack installed the malware into the memory and could get the persistence. The PowerShell was used in the next stage after the machine had been already compromised. I am not sure how dangerous could the first part of the attack, but in the current versions of Yellow Cockatoo this part is skipped and the installation is fully done via PowerShell.

 

[wat0114]

This example is fileless, too. It will be blocked by SWH settings.
The malware that could not be fully blocked was the Jupyter infostealer (mentioned in the RedCanary article).

Okay, so I guess there are different versions, some more advanced than others, of Yellow Cockatoo. Thanks.

 

[L0ckJaw]

Thanks @Andy Ful for the new version

 

[Andy Ful]

Okay, so I guess there are different versions, some more advanced than others, of Yellow Cockatoo. Thanks.

I would say, that there are different versions with the tendency to be more fileless. It is hard to say if the more fileless versions are also more advanced. Simply, the AVs are better and better at detecting non-fileless malware, so the malc0ders try to adapt.

 

[Kongo]

Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.

 

[Andy Ful]

Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.

https://malwaretips.com/threads/simple-windows-hardening.102265/post-989494

Let me know if this help included in SWH is sufficient.

 

[Gandalf_The_Grey]

Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help.

Click the green buttons (Adobe Acrobat Reader, MS Office) for more info
Also post 493 and 496 of this thread give some info.

 

[Kongo]

Seems like I am just blind. Thanks guys!

 

[Andy Ful]

RunBySmartscreen vs. GuLoader

Spoofed Saudi Purchase Order Drops GuLoader: Part 1 | FortiGuard Labs

FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analys…

www.fortinet.com

New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild

Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma. "Though Chaos ransomware builder has only been in the wild for a year, Yashma claims to be the sixth version (v6.0) of this malware," BlackBerry research and intelligence team said...

malwaretips.com

GuLoader is delivered via EXE (NSIS) installer embedded in the ISO file, so it is a good example to show how RunBySmartscreen can help. This delivery method is pretty popular.

Infection chain:
Email with phishing URL ----> ISO file downloaded via URL ----> User opens ISO image ----> User opens the file which is EXE malware instead expected PDF document.


## Using RunBySmartscreen tool.

Even if the ISO file is downloaded via Edge web browser, the SmartScreen will ignore it.
After the ISO (optical disc image) file is downloaded the user opens it from the web browser and can see this:

At this moment (File Explorer opened) the RunBySmartscreen should be used. One has to use the mouse to right-click on the file to open the Explorer context menu and choose the "Run By SmartScreen" option (the user does not have to know what kind of file it is). This forces checking the EXE, MSI, COM, and SCR files by SmartScreen reputation - the safe executables are automatically executed. For other files, the info is displayed. The music files, photos, videos, etc. are automatically opened.

In the case of the malicious EXE file (like in this example) the home user will see the well known SmartScreen alert:

Without RunBySmartscreen, the file embedded in the ISO file will be opened without SmartScreen check.

See also another example of using RunBySmartscreen:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-980775

 

[Digmor Crusher]

Is there a difference between scanning a file with Defender as opposed to running it with RunBySmartscreen? Would one be more secure then the other? As an example lets use an EXE file for a program you have just downloaded. Thanks.

 

[Andy Ful]

Is there a difference between scanning a file with Defender as opposed to running it with RunBySmartscreen?

RunBySmartscreen does not scan anything. In the case of EXE, COM, MSI, and SCR files it adds the MOTW to the file and lets it open by Windows. More about the importance of MOTW:

Mark-of-the-Web from a red team’s perspective

Mark-of-the-Web from a red team’s perspective Stan Hegt | March 30, 2020 Zone Identifier Alternate Data Stream information, commonly referred to as Mark-of-the-Web (abbreviated MOTW), can be a significant hurdle for red teamers and penetration testers, especially when attempting to gain an...

malwaretips.com

After adding the MOTW, Windows thinks that the file has been downloaded from the Internet and the file is checked by SmartScreen for Explorer (file reputation lookup in the Microsoft cloud). Like any top file reputation, it is much safer than any AV detection. Of course, the files are also scanned/detected as usual by the AV.

RunBySmartscreen would not be needed if Windows could add MOTW to the files embedded in archives, disk images, files stored on FAT32 USB drives, and Memory cards. Even if such files have been downloaded from the Internet, Windows cannot recognize this, and SmartScreen for Explorer is not triggered.