Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WindowsHybridHardening Light (WHHLight)

WHHLight ver. 1.0.1.1 (updated in January 2024)
https://github.com/AndyFul/Hard_Con...dowsHybridHardening/WHHLight_Package_1011.exe
https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening

1704912109799.png


Windows Hybrid Hardening Light (WHHLight) is a simplified configurator of (Windows built-in) application control features. It works on Windows 10 and 11 to support antivirus and prevent malware. WHHLight is a hybrid of Windows built-in security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). After the initial configuration, WHHLight can be closed, and all protection comes from the Windows built-in features. SmartScreen, SRP, and WDAC work well with any antivirus (no need to use Microsoft Defender).

WHHLight is adjusted to the home environment. SRP is still the best Windows built-in solution at home to prevent attack vectors via scripts, shortcuts, and other files with active content. WDAC is the best prevention against malicious EXE, DLL, and MSI files.

Some important post-exploitation mitigations of vulnerable applications (MS Office, Adobe Acrobat Reader, etc.) can be configured via DocumentsAntiExploit, FirewallHardening, and ConfigureDefender (tools included in the WHHLight installation package). The ConfigureDefender tool can be used only when Microsoft Defender real-time protection is enabled.







 
Last edited:

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,439
Thank you for sharing information about Windows Hybrid Hardening Light (WHHLight) version 1.0.1.0. WHHLight is a simplified configurator of Windows built-in application control features that works on Windows 10 and 11 to support antivirus and prevent malware.

WHHLight combines three key security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). These features provide comprehensive protection against various attack vectors. Once WHHLight is configured, it can be closed, and all protection comes from the Windows built-in features, eliminating the need for Microsoft Defender.

SRP is particularly effective in preventing attacks via scripts, shortcuts, and other files with active content, making it an ideal solution for home environments. On the other hand, WDAC offers robust protection against malicious executable (EXE), dynamic-link library (DLL), and Windows Installer (MSI) files.

In addition to these features, WHHLight also includes tools like DocumentsAntiExploit, FirewallHardening, and ConfigureDefender, which can be used to configure post-exploitation mitigations for vulnerable applications such as Microsoft Office and Adobe Acrobat Reader. However, please note that the ConfigureDefender tool requires Microsoft Defender real-time protection to be enabled.

You have also provided several videos demonstrating the usage and benefits of WHHLight. These videos showcase the features and functionality of WHHLight, making it easier for users to understand its capabilities.

Overall, WHHLight seems to be a powerful tool for enhancing the security of Windows systems, especially in home environments. It combines multiple built-in security features and provides additional tools for mitigating post-exploitation risks.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
great, ready willing (& able?) to try it out -- but question is it compatible with CyberLock 7.68? or do (could) they interfere with each other, if so I have some VM where I can try WHHLight. Q2: assuming I had run H_C or SWH in the past, then I have to run first those and restore to windows default and then run WHHLight, yes?? :unsure:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
great, ready willing (& able?) to try it out -- but question is it compatible with CyberLock 7.68? or do (could) they interfere with each other, if so I have some VM where I can try WHHLight.

There is no need to use WHHLight, when you use CyberLock.

Q2: assuming I had run H_C or SWH in the past, then I have to run first those and restore to windows default and then run WHHLight, yes?? :unsure:

WHHLight automatically removes the H_C and SWH settings. (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Thank you for sharing information about Windows Hybrid Hardening Light (WHHLight) version 1.0.1.0. WHHLight is a simplified configurator of Windows built-in application control features that works on Windows 10 and 11 to support antivirus and prevent malware.

WHHLight combines three key security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). These features provide comprehensive protection against various attack vectors. Once WHHLight is configured, it can be closed, and all protection comes from the Windows built-in features, eliminating the need for Microsoft Defender.

SRP is particularly effective in preventing attacks via scripts, shortcuts, and other files with active content, making it an ideal solution for home environments. On the other hand, WDAC offers robust protection against malicious executable (EXE), dynamic-link library (DLL), and Windows Installer (MSI) files.

In addition to these features, WHHLight also includes tools like DocumentsAntiExploit, FirewallHardening, and ConfigureDefender, which can be used to configure post-exploitation mitigations for vulnerable applications such as Microsoft Office and Adobe Acrobat Reader. However, please note that the ConfigureDefender tool requires Microsoft Defender real-time protection to be enabled.

You have also provided several videos demonstrating the usage and benefits of WHHLight. These videos showcase the features and functionality of WHHLight, making it easier for users to understand its capabilities.

Overall, WHHLight seems to be a powerful tool for enhancing the security of Windows systems, especially in home environments. It combines multiple built-in security features and provides additional tools for mitigating post-exploitation risks.

This info is probably better than my own.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WHHLight vs. Lumma Stealer
(Smart App Control set to OFF)


https://malwaretips.com/threads/bew...ked-software-distribute-lumma-stealer.128229/
https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube
https://app.any.run/tasks/d7724f7b-bbfe-4422-8c2a-77eeaf3cd6e3/#
(the sample refused to run in the AnyRun sandbox)


Attack flow:
1704926046490.png


The attack can be stopped at several stages:
  1. SWH default settings block the LNK file (attack fully prevented at the early stage).
  2. The EXE payload (Installer-Install-2023_v0y.6.6.exe) would be blocked (in the Public folder) by WDAC with a default Whitelist - checked on the sample downloaded from AnyRun. The attack would be prevented before invoking the secondary payload.
  3. SWH default settings (PowerShell in Constrained Language Mode) would prevent downloading and invoking the secondary payload (DLL) by blocking PowerShell CmdLines:
    [System.Text.Encoding]::UTF8.GetString()
    [System.Reflection.Assembly]::Load()
    The attack would be fully mitigated and stopped before creating and injecting the final payload (Lumma Stealer).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WHHLight vs. AppInstaller

https://malwaretips.com/threads/mic...col-handler-abused-in-malware-attacks.127972/
https://www.microsoft.com/en-us/sec...tivated-threat-actors-misusing-app-installer/

The original attacks were performed by abusing the ms-appinstaller protocol handler. This method is now patched - Microsoft disabled that protocol by default.
Anyway, a similar attack can be performed without using ms-appinstaller:

Malicious URL or email attachment (ZIP, ISO, etc.) ---> malicious MSIX package (digitally signed) ---> AppInstaller runs malware from the MSIX package.

SWH default settings in WHHLight block AppInstaller.

1704972680574.png


The blocked event can be seen in the EventViewer (System, Id = 10010).
In WHHLight the APPX and MSIX packages are blocked by Exploit Protection and not by SRP. The ExploitProtection method allows the installation of UWP apps and desktop apps from Microsoft Store. The SRP method (used in H_C and SimpleWindowsHaredening) is more restrictive and allows only UWP apps from Microsoft Store.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WHHLight vs. Pikabot
https://malwaretips.com/threads/pik...t-replacement-for-black-basta-attacks.128285/
https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

Email Thread-Jacking (or Conversation Hijacking)
https://www.kaspersky.com/blog/what-is-conversation-hijacking/48010/

Scenario 1
Phishing email ( Thread-Jacking ) ----> PDF with embedded URL ----> ZIP archive downloaded from URL ---> JavaScript (JScript) downloader/launcher in ZIP archive ---> LOLBins (cmd[.]exe, curl.exe, rundll32.exe) used to download and execute a DLL payload

1704980562689.png



Scenario 2
Phishing email ( Thread-Jacking ) ----> IMG (disk image file) in ZIP attachment ----> Shortcut (LNK file) + malicious DLL ----> Shortcut executes DLL by using LOLBin (rundll32.exe)

1704980386049.png

The content of the IMG file (Shortcut icon spoofed as a document)
Such attacks are blocked by default SWH settings in WHHLight (JScript and LNK files are blocked).
The attack from Scenario 1 can also be mitigated by FirewallHardening (blocked outbound connections of curl.exe)

 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
Thank you again Andy! As always, you are the best (y)

EDIT

I forgot to ask: is it silly and redundant to run OSArmor alongside WHHLight, or are there any useful protections available in OSA that can provide security WHHL may not have? I'm guessing, however, that for the typical home user, one or the other is sufficient?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WHHLight vs. Bandook
(Smart App Control set to OFF)


https://malwaretips.com/threads/new...resurfaces-targeting-windows-machines.128157/
https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
https://app.any.run/tasks/82a56ab6-7816-4072-b1c4-78ecacf21f4e/

Attack flow:
PDF document with URL ----> 7-Zip archive downloaded from URL ---> EXE malware embedded in archive injects itself into Windows system executable msinfo32.exe


I tried Bandook samples from the second half of the year 2023 available on AnyRun and MalwareBazaar. Most of them were digitally signed, but the certificates were malformed. All samples were blocked by SmartScreen and independently by WDAC ISG in WHHLight.
Some samples were unknown on VirusTotal, like the sample from AnyRun (uploaded to VT by me [1].

It is possible that WDAC ISG could block the Bandook samples also as 0-day malware. The ISG has a very restrictive reputation backend and can block many signed files even if they are EV-signed (allowed by SmartScreen). Anyway, as any cloud reputation backend, also WDAC ISG may rarely miss something. If someone finds such a sample, please let me know.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
WHHLight vs. Phemedrone Stealer Campaign

https://malwaretips.com/threads/inf...ndows-smartscreen-bypass.128384/#post-1072138
https://www.trendmicro.com/en_us/re...-for-defense-evasion-in-phemedrone-steal.html

Attack flow (initial part of the attack):
Cloud hosted malicious URL shortcut ---> malicious CPL file executed via CVE-2023-36025 exploit ---> PowerShell CmdLines download/execute secondary payloads ---> .... ---> Phemedrone Stealer

On the unpatched Windows, the current WHHLight version blocks the attack via default SWH settings (CPL file is blocked).
The attack could also be blocked at the next stage, because the default SWH settings block PowerShell CmdLines (crucial in the attack) by Constrained Language Mode (New-Object Net.WebClient). Furthermore, that particular attack could have been prevented by FirewallHardening (blocked outbound connections of PowerShell).

REMARK
The exploit CVE-2023-36025 is already patched, so I removed the URL file extension from the default "SRP File Types". I also added information in "Paranoid Extensions" about a non-typical way of adding the file extensions managed by DLLs:

1705422464724.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top