- Apr 24, 2016
- 6,632
Same hereJust to inform, all my reported "blocks" are solved now since new WHHL version 1.0.0.2
Testing Windows Hybrid Hardening (new hardening application).
- Thread starter Andy Ful
- Start date
Azazel
Level 5
- Jun 15, 2023
- 247
Since Simple Windows Hardening is discontinued, could you add the option to turn on and off policies as in old SWH.
For example, Allow AppInstaller and SMBv1.
For example, Allow AppInstaller and SMBv1.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
I plan to add such ability in WHH (full version). Does WHHLight block anything on your computer?
Azazel
Level 5
- Jun 15, 2023
- 247
A PowerShell script used by Lenovo Vantage.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
WWHLight installed on the already infected computer.
If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.
Here are some examples:
malwaretips.com
research.checkpoint.com
research.checkpoint.com
news.sophos.com
blog.morphisec.com
news.sophos.com
www.proofpoint.com
news.sophos.com
www.trustwave.com
www.cybereason.com
redcanary.com
If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.
Here are some examples:
App Review - A Raccoon Stealer Quick Dance
malwaretips.com
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point Research
Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...
research.checkpoint.com
APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
Introduction With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an...
research.checkpoint.com
“Gootloader” expands its payload delivery options
The Javascript-based infection framework for the Gootkit RAT increasingly delivers a wider variety of malware, including ransomware payloads, filelessly
news.sophos.com
New Threat Campaign: AsyncRAT Introduces a New Delivery Technique
Morphisec Labs identified a new threat campaign. Through a simple phishing tactic with an HTML attachment, threat attackers are delivering AsyncRAT.
blog.morphisec.com
SolarMarker campaign used novel registry changes to establish persistence
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.
news.sophos.com
SunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.
Qakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknesses
news.sophos.com
Vidar Malware Launcher Concealed in Help File | Trustwave
Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade detection. Recently, we came across an interesting email campaign employing this technique to deliver the info stealer Vidar malware.
www.trustwave.com
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...
www.cybereason.com
Gootloader - Red Canary Threat Detection Report
A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.
redcanary.com
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
Lenovo Vantage contains some add-ins that use PowerShell scripts. These add-ins will be blocked by the SWH option.
You must temporarily switch OFF SWH, if you need those add-ins to work.
Did you notice any useful function that could not work?
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
WWHLight installed on the already infected computer.
If one suspects that the computer is infected, then applying WHHLight can help identify the malware. In such a case the user should run WHHLight, switch ON the WDAC, remove all entries from the WDAC Whitelist, and restart Windows. In most cases, the malware uses files dropped for persistence in the UserSpace. These files (EXE, DLL, scripts, etc.) will be blocked. The blocked events can be seen via the < Events > blue buttons in WHHLight.
Here are some examples:
App Review - A Raccoon Stealer Quick Dance
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk - Check Point Research
Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020, used malicious documents, adult...APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit - Check Point Research
Introduction With the emergence of the Log4j security vulnerability, we’ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an...“Gootloader” expands its payload delivery options
The Javascript-based infection framework for the Gootkit RAT increasingly delivers a wider variety of malware, including ransomware payloads, filelesslyNew Threat Campaign: AsyncRAT Introduces a New Delivery Technique
Morphisec Labs identified a new threat campaign. Through a simple phishing tactic with an HTML attachment, threat attackers are delivering AsyncRAT.SolarMarker campaign used novel registry changes to establish persistence
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.SunSeed Malware Targets Refugees & EU Government | Proofpoint US
Proofpoint has identified a campaign using a Lua-based malware dubbed SunSeed. Learn more about the attack with Proofpoint's in-depth report.Qakbot injects itself into the middle of your conversations
The heavily distributed botnet delivers a wide variety of payloads – and scans your network for weaknessesVidar Malware Launcher Concealed in Help File | Trustwave
Appending a malicious file to an unsuspecting file format is one of the tricks our adversaries use to evade detection. Recently, we came across an interesting email campaign employing this technique to deliver the info stealer Vidar malware.THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...Gootloader - Red Canary Threat Detection Report
A common entry point for Cobalt Strike into enterprises, Gootloader made significant changes to its execution flow in 2022.
It seems that the below WDAC Whitelist can be used to identify/block malware on the already infected computer.
Most malware stores the files for persistence in the user AppData or %ProgramData% folders and avoids AppData\Local\Temp .
All examples from my previous post could be blocked after Windows restart. It is a very easy and fast method to identify malware on computers that normally do not use the WHHLight package.
Last edited:
- Oct 3, 2022
- 402
If I toggle the top most slider to OFF, can I use my own SRP ? I like to forbid Powershell and cmd till I really need to use them.
I would like to request 2 black list option boxes, one for SRP and one for WDAC; to be added to WHH. I am dealing with my 'red team', and they don't use malware; not ones commonly detectable by anti-malware anyways, And I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.
I would like to request 2 black list option boxes, one for SRP and one for WDAC; to be added to WHH. I am dealing with my 'red team', and they don't use malware; not ones commonly detectable by anti-malware anyways, And I need to disable their favorite Windows native tools as revealed by Comodo's OpenEDR.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
You cannot.
You can forbid PowerShell and CMD by using Windows built-in Exploit Protection. This can be easily done via the Security Center or by a simple reg tweak.
Anyway, the PowerShell and CMD are already highly restricted in WHHLight, as you can see in my post:
https://malwaretips.com/threads/tes...new-hardening-application.125082/post-1057489
Which tools?
Last edited:
@Andy Ful
Ah the old DLL Hijack case study again. With the very unrealistic scenario on how an ISO file is teleported on the PC and a fabricated LNK is used to execute CMD. Easy to prevent by blocking CMD as a lolbin or protecting LNK or blocking execution in archivers (e.g. with the ecellent Hard_Cofigurator) or blocking file extensions from archivers (e.g with the smart and problem free SimpleWindowsHardening). Quick fixes you certainly must recognize
I am not going into the WHH discussion again, took me ages to get three YES out of you. For people not understading where we were talking about the "your DLL hole is bigger than my DLL hole" must have been hilarisch to read in the WHH thread. I think it is safe to say that Andy and I agree for 95% on the subjects we discuss, but we disagree passionately on the remaining 5%. ***
So I will stick to my advice: WDAC-ISG (with H_C in WSH mode blocking lolbins) is an excellent alternative to SAC for people who are unable to use SAC (e.g. Windows10 or disabled SAC in Windows11 after evaluation). I did not tell people to use WDAC-ISG instead of SAC. I literally posted that "WDAC-ISG is the slightly dumber but more controllable and configurable sibling of SAC". When you run into a problems with SAC, using the WDAC wizzard you can make exceptions to make WDAC-ISG work where SAC does not have any options other than to turn it off.
Note ***
I think it is a pity you choose to combine SWH with WDAC in block mode in WHH, I had hoped you would have combined WDAC-ISG with H_C in SWH mode blocking LoLbins also. Kind of ironic that we disagree in thread A and in thread B, but in thread B you provide a case study which could have made us agree in thread A
Ah the old DLL Hijack case study again.
With the very unrealistic scenario on how an ISO file is teleported on the PC and a fabricated LNK is used to execute CMD. Easy to prevent by blocking CMD as a lolbin or protecting LNK or blocking execution in archivers (e.g. with the ecellent Hard_Cofigurator) or blocking file extensions from archivers (e.g with the smart and problem free SimpleWindowsHardening). Quick fixes you certainly must recognize I am not going into the WHH discussion again, took me ages to get three YES out of you. For people not understading where we were talking about the "your DLL hole is bigger than my DLL hole" must have been hilarisch to read in the WHH thread. I think it is safe to say that Andy and I agree for 95% on the subjects we discuss, but we disagree passionately on the remaining 5%. ***
So I will stick to my advice: WDAC-ISG (with H_C in WSH mode blocking lolbins) is an excellent alternative to SAC for people who are unable to use SAC (e.g. Windows10 or disabled SAC in Windows11 after evaluation). I did not tell people to use WDAC-ISG instead of SAC. I literally posted that "WDAC-ISG is the slightly dumber but more controllable and configurable sibling of SAC". When you run into a problems with SAC, using the WDAC wizzard you can make exceptions to make WDAC-ISG work where SAC does not have any options other than to turn it off.
Note ***
I think it is a pity you choose to combine SWH with WDAC in block mode in WHH, I had hoped you would have combined WDAC-ISG with H_C in SWH mode blocking LoLbins also. Kind of ironic that we disagree in thread A and in thread B, but in thread B you provide a case study which could have made us agree in thread A
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
The post above (made by @Max90) was moved from another thread:
malwaretips.com
@Max90
Please do not be disappointed.
I already said that both SAC and your "WDAC + ISG" setup can be good protection at home.
It is true that adding SWH to "WDAC + ISG" can (currently) prevent most DLL hijacking attacks that could be missed by "WDAC + ISG". I do not think that such a setup is (currently) worse than WHHLight.
My concerns are of different types:
I think that I fully explained my concerns, so I will not continue this topic for a while (until additional tests will be made).
Post edited.
Poll - Do you use Smart App Control? I know, not many of you!
Either Kaspersky Default Deny or Xcitium with Harmony KAV Engine
malwaretips.com
@Max90
Please do not be disappointed.
I already said that both SAC and your "WDAC + ISG" setup can be good protection at home.
It is true that adding SWH to "WDAC + ISG" can (currently) prevent most DLL hijacking attacks that could be missed by "WDAC + ISG". I do not think that such a setup is (currently) worse than WHHLight.
My concerns are of different types:
- SWH + WDAC + ISG can be mostly reproduced by WHHLight (WDAC OFF) + ConfigureDefender (MAX)
ISG requires Microsoft Defender - WHHLight does not.ISG will block many software auto-updates - WHHLight will not.
- About 40% of them were (partially) blocked by ISG in the user Temp folder.
- About 30% of applications could not be uninstalled (blocked by ISG in the user Temp folder).
I think that I fully explained my concerns, so I will not continue this topic for a while (until additional tests will be made).
Post edited.
Last edited:
@Andy Ful two questions
1. Did you use ISG with explicit allows for programs files in your test? I also have tested ISG, but only with 10 programs maximum and ISG allowed all.
2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?
1. Did you use ISG with explicit allows for programs files in your test? I also have tested ISG, but only with 10 programs maximum and ISG allowed all.
2. Microsoft says WDAC works with any thrid-party security solution. Where did you read that when ISG enabled Microsoft Defender is required as AV?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
Yes.
Testing ISG was not easy. I tested it as follows:
- Prepared over 150 executables/installers/portable applications on the flash drive (FAT 32), that were never executed on my computer with active WDAC ISG.
Keeping the executables on FAT 32 flash drive removes any MOTW. - Turned OFF Microsoft Defender real-time protection, Cloud-delivered protection, and Automatic sample submission.
- Executed files from the flash drive - almost all were blocked (~ 95%).
- Turned ON Microsoft Defender.
- Restarted the computer.
- Executed files again - about 60% were allowed.
- Turned OFF Microsoft Defender real-time protection, Cloud-delivered protection, and Automatic sample submission (like in point 2).
- Restarted the computer.
- Executed files again - about 60% were allowed, despite the fact that Microsoft Defender was disabled.
If the file were successfully executed with ISG and Microsoft Defender, this is somehow remembered in the system (at least for some time).
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
I edited my post by removing points 2 and 3. They were based on false logic.
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.
Post edited.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
Last edited:
I edited my post by removing points 2 and 3. They were based on false logic.
Although ISG requires MS Defender (as my test can suggest) to work properly, WDAC + ISG works the same as WHHLight when MS Defender is disabled (files are simply blocked if not whitelisted).
In the ISG setup, one can whitelist the same folders as in WHHLight and avoid blocking auto-updates.
Post edited.
Point 2 should look as follows:
ISG can work differently whether Defender is the primary AV or 3rd party AV is installed. WHHLight will work in the same way, no matter which AV is installed.
OkayPoint 1 provides similar protection (MD at max cloud protection level)
Microsoft says SAC+MD@max+SmartScreen+ISG share the same backend, but ISG is the backend with an ISG-API to be used with third-party security.
Smartscreen and SAC are home user layers around this AI-neural network. So in theory the good-bad levels (e.g. like with VoodooShield) could be adjusted differently for home use to block less.
Thanks for explaining how you tested ISG: but results differ so much from mine, could you repeat the test without Defender but with enabling the AppIDservice (as Microsoft advises).
Last edited by a moderator:
How did you tested ISG? Maybe it would help Andy Ful to see what is the difference between your/his results. //Edit for typo.
Last edited:
With the AppIDservice enabled and explicit allow rules for Windows and ProgramFiles (also x86) folders in combination with H_C in SWH mode plus lolbins blocked (enhanced).
But I only tested around 10 programs, not as many as Andy.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
It is enabled all the time.
I found out that when MS Defender is working then ISG requires Cloud-delivered protection.
That is why in my test almost everything was blocked with disabled Defender.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
I installed Avast and repeated the same test. It looks like Avast uses ISG API because the results were the same as with MS Defender (Cloud-delivered protection enabled). Installation of Avast did not stop the services required by ISG. I did not test other AVs.
After uninstalling Avast I noticed that the services required by ISG has been stopped.
Edit.
The ISG tests require using a Virtual Machine. Each test must be done on the fresh snapshot. This is required because when the file has been successfully executed in one test, the result is stored in the system and the file will be allowed also in another test (even if it would be normally blocked).
After uninstalling Avast I noticed that the services required by ISG has been stopped.
Edit.
The ISG tests require using a Virtual Machine. Each test must be done on the fresh snapshot. This is required because when the file has been successfully executed in one test, the result is stored in the system and the file will be allowed also in another test (even if it would be normally blocked).
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,176
If you will send me the links to the tested installers, I can test them against my ISG policy.
Similar threads
-
- Sticky
