New Update Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?
How did you understand the info in the help file for <MS Office> option?

1653118652159.png


Edit.
This help requires a correction - these restrictions works also on MS Office 2019. They probably work on MS Office 2021 too, but I did not test this version yet. Tested today, and all work well on MS Office 20121, too. :)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
SWH vs. SocGholish

According to the Red Canary’s 2022 Threat Detection Report, this threat is among the most prevalent threats:

1653237375621.png

The cases of SWH vs. Qbot (Quakbot) and Gootkit (Gootloader) can be found here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-971785
The difference between GootLoader and Gootkit (not important in this post):
https://redcanary.com/blog/gootloader/

I will try to post about other prevalent threats like TA551 in my next post.

SocGholish and Gootkit used a similar infection chain:
https://redcanary.com/threat-detection-report/threats/socgholish/
https://redcanary.com/threat-detection-report/threats/gootkit/
1653237539311.png

SocGholish operators host a malicious website that implements a drive-by-download mechanism. Previous research shows that the SocGholish operators use a legitimate website and host another, malicious website in its context, for example, in an inline frame (iframe) object. The legitimate website displays content to which end-users may be lured, such as critical browser updates. The malicious website may implement, for example, JavaScript code, or conduct URL redirections to trigger the download of an archive file that stores a malicious JavaScript script.

SWH can block this threat by default via SRP restrictions for scripts.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
SWH vs. TA551 phishing campaigns

1653297663480.png


The report shows that password-protected ZIP attachments with Word documents were used in the attacks. This pretty common type of attack is blocked by default in SWH via disabling VBA in MS Office.

Such attacks can be easily prevented even without SWH, by not allowing macros in MS Office documents. If macros are enabled then the defense is more complicated. But in most cases, the attacks can be mitigated by:
  1. Restricting network connections of MS Word and popular LOLBins (certutil.exe, mshta.exe, etc.). One can use the FirewallHardening tool for that (or apply manually the rules in the firewall).
    But, this attack can be modified to drop the payload embedded/encoded in the document - in such a case, restricting network connection will not help.
  2. Applying parent-child protection to prevent spawning by MS Word some LOLBins (regsvr32.exe, rundll32.exe, etc.) that can execute DLLs. This can be done via the HIPS module in AV or ASR rules (like in Microsoft Defender / ConfigureDefender HIGH settings). But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).
It is worth knowing that this type of attack does not use *.exe payloads. The final payload (Ursnif, Zloader, Valak, IceId, Qbot) was injected into the system process (svchost.exe, msiexec.exe, etc.). Such injections are not easy to detect by Avs.

Edit.
Another example of the recent TA551 attack via ISO file (LNK + DLL) was analyzed here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Some of the threats noted in Red Canary’s 2022 Threat Detection Report are penetration tools/frameworks used in the already compromised environment. They are used in highly targeted attacks (mostly in lateral movement), so I skipped them in the SWH thread.

Mimikatz​

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords. As an open source project, Mimikatz continues to be actively developed, with several new features added in 2020.
https://redcanary.com/threat-detection-report/threats/mimikatz/

BloodHound​

BloodHound is an open source tool that provides visibility into Active Directory environments. It is a common precursor to follow-on activity, whether that’s further testing or ransomware. It is a common precursor to follow-on activity, whether that’s further testing or ransomware.
https://redcanary.com/threat-detection-report/threats/bloodhound/

Impacket​

Though Impacket is used legitimately for testing, it is often abused by ransomware operators and other adversaries, thanks in large part to its versatility.
At its core, Impacket is a collection of Python libraries that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools, including post-exploitation and vulnerability-scanning products, to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI).
https://redcanary.com/threat-detection-report/threats/impacket/

Cobalt Strike​

Cobalt Strike continues to be a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
https://redcanary.com/threat-detection-report/threats/cobalt-strike/

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.
https://www.cobaltstrike.com/

Metasploit​

Penetration testing software to help you act like the attacker

Attackers are always developing new exploits and attack methods—Metasploit penetration testing software helps you use their own weapons against them. Utilizing an ever-growing database of exploits, you can safely simulate real-world attacks on your network to train your security team to spot and stop the real thing.
https://www.rapid7.com/products/metasploit/

The rest of the most prevalent threats: TA551, Qbot (Quakbot), SocGholish, Yellow Cockatoo (SolarMarker), and Gootkit (Gootloader) could be reused in the attacks against home users. The Yellow Cockatoo threat uses EXE/MSI files as an initial infection vector so it is beyond the scope of SWH. The Yellow Cockatoo (SolarMarker) uses EXE/MSI files. The older versions were not fileless, so they were beyond the scope of SWH. The recent versions described in the RedCanary Report use also EXE/MSI files, but the malicious actions are performed by the PowerShell script, so the malware is blocked by SWH (default settings).

Other threats were already analyzed and all of them could be blocked by older versions of SWH (default settings) + Defender / ConfigureDefender HIGH settings. The new versions of SWH (ver. 1.1.1.1 and later) can block these threats by the recommended settings in SWH (even without ConfigureDefender). :)(y)

Post edited.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
SWH vs. TA551 phishing campaigns



But, the macro in the attack can be modified by accessing the WMI service via WinMgmts moniker to bypass the parent-child monitoring. So, one has to additionally restrict WMI (can be done in Microsoft Defender via ASR rules).

So I guess these protections, at least the first two, in OSA would would mitigate this avenue of attack as well?

OSA WMIC.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
SWH vs. Yellow Cockatoo (SolarMarker)

In one of my previous posts, I mentioned that EXE/MSI threats are beyond the scope of SWH - such threats are not fileless malware. But in the case of the recent Yellow Cockatoo attacks, the situation is more complex. It uses EXE/MSI file to execute a benign application (PDF Merge) and malicious Powershell script. SWH blocks PowerShell scripts by default so the attack can be blocked. A similar attack was analyzed in the SWH thread here:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973934

On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
On the contrary, the older less advanced Yellow Cockatoo (SolarMarker) attacks did not use fileless methods, so they were beyond the scope of SWH.

In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.


Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?

EDIT

I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
In this writeup of Yellow-cockatoo RAT, it mentions powershell being used (Detection opportunity 3) to create .lnk files in the startup directory and eventually launches a command-line script to install a malicious dll.


Wouldn't SWH stop this malicious use of powershell, or is it too late already because the executable is already installed?

EDIT

I guess RunBySmartscreen could be used in H_C to check the initial executable when launching it.

This example is fileless, too. It will be blocked by SWH settings.
The malware that could not be fully blocked was the Jupyter infostealer (mentioned in the RedCanary article).

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules. The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter .NET module

In the Jupyter example (precursor of Yellow Cockatoo), the first part of the attack installed the malware into the memory and could get the persistence. The PowerShell was used in the next stage after the machine had been already compromised. I am not sure how dangerous could the first part of the attack, but in the current versions of Yellow Cockatoo this part is skipped and the installation is fully done via PowerShell.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
This example is fileless, too. It will be blocked by SWH settings.
The malware that could not be fully blocked was the Jupyter infostealer (mentioned in the RedCanary article).

Okay, so I guess there are different versions, some more advanced than others, of Yellow Cockatoo. Thanks.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Okay, so I guess there are different versions, some more advanced than others, of Yellow Cockatoo. Thanks.
I would say, that there are different versions with the tendency to be more fileless. It is hard to say if the more fileless versions are also more advanced. Simply, the AVs are better and better at detecting non-fileless malware, so the malc0ders try to adapt.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help. :)
 
  • Like
Reactions: Gandalf_The_Grey

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Hey, as the new SWH version requires the standalone Documents Anti-Exploit tool to work similar as before I need to know what the different settings do. What's ON1, ON2, Partial etc? Didn't find any explanation anywhere. Hope somebody can help. :)
Click the green buttons (Adobe Acrobat Reader, MS Office) for more info
Also post 493 and 496 of this thread give some info.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
RunBySmartscreen vs. GuLoader

GuLoader is delivered via EXE (NSIS) installer embedded in the ISO file, so it is a good example to show how RunBySmartscreen can help. This delivery method is pretty popular.

Infection chain:
Email with phishing URL ----> ISO file downloaded via URL ----> User opens ISO image ----> User opens the file which is EXE malware instead expected PDF document.


## Using RunBySmartscreen tool.

Even if the ISO file is downloaded via Edge web browser, the SmartScreen will ignore it.
After the ISO (optical disc image) file is downloaded the user opens it from the web browser and can see this:

1653421481446.png


At this moment (File Explorer opened) the RunBySmartscreen should be used. One has to use the mouse to right-click on the file to open the Explorer context menu and choose the "Run By SmartScreen" option (the user does not have to know what kind of file it is). This forces checking the EXE, MSI, COM, and SCR files by SmartScreen reputation - the safe executables are automatically executed. For other files, the info is displayed. The music files, photos, videos, etc. are automatically opened.

In the case of the malicious EXE file (like in this example) the home user will see the well known SmartScreen alert:

1653422670178.png


Without RunBySmartscreen, the file embedded in the ISO file will be opened without SmartScreen check.

See also another example of using RunBySmartscreen:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-980775
 
Last edited:

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,435
Is there a difference between scanning a file with Defender as opposed to running it with RunBySmartscreen? Would one be more secure then the other? As an example lets use an EXE file for a program you have just downloaded. Thanks.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Is there a difference between scanning a file with Defender as opposed to running it with RunBySmartscreen?
RunBySmartscreen does not scan anything. In the case of EXE, COM, MSI, and SCR files it adds the MOTW to the file and lets it open by Windows. More about the importance of MOTW:

After adding the MOTW, Windows thinks that the file has been downloaded from the Internet and the file is checked by SmartScreen for Explorer (file reputation lookup in the Microsoft cloud). Like any top file reputation, it is much safer than any AV detection. Of course, the files are also scanned/detected as usual by the AV.

RunBySmartscreen would not be needed if Windows could add MOTW to the files embedded in archives, disk images, files stored on FAT32 USB drives, and Memory cards. Even if such files have been downloaded from the Internet, Windows cannot recognize this, and SmartScreen for Explorer is not triggered.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top