Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

F

ForgottenSeer 107474

@Andy Ful I have two questions about Windows Hybrid Hardening

1. When SRP would be depreciated(rumors say with Windows12), would you consider adding hardening in WHHL using AppLocker to deny standard users running scripts?

2.Would you consider adding the option to define allow exceptions based on signature (like the WDAC wizzard offers) in WHHF (WHHFull)?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
@Andy Ful I have two questions about Windows Hybrid Hardening

1. When SRP would be depreciated(rumors say with Windows12), would you consider adding hardening in WHHL using AppLocker to deny standard users running scripts?

Maybe, anyway not AppLocker but rather WDAC (Administrators will be also restricted). But, we will see - the AppLocker option is also possible.
I am not sure what kind of hardening will be useful on Windows 12.

2.Would you consider adding the option to define allow exceptions based on signature (like the WDAC wizzard offers) in WHHF (WHHFull)?

Probably not. It would be easy to add such an option on Windows Pro (with PowerShell), but too complicated on Windows Home.
 
Last edited:

Pat MacKnife

Level 15
Verified
Top Poster
Well-known
Jul 14, 2015
743
Is there a way to uninstall (delete) WHH (SWH and Wdac)? i would like to use only the Firewall hardening for now.
Edit: deleting WHH in programdata seems the way . . .
 
Last edited:
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
Is there a way to uninstall (delete) WHH (SWH and Wdac)? i would like to use only the Firewall hardening for now.
Edit: deleting WHH in programdata seems the way . . .

Use the "Restore Windows Defaults" before deleting the WindowsHybridHardeningLight_1011 executable.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hello everyone,
I installed WHHLight (I am new to this app) on top of Hard_Configurator, and I ended up a little confused: I did not see all the configuration options I was used to seeing in H_C. For instance, the list of blocked Sponsors. So I tried to run H_C, in order to see what is happening with the sponsors, and I got a message that I can run H_C only if I undo the blocking of admin processes. This blocking of admin processes seems to be a change introduced by the installation of WHHLight.
Am I doing something that is not recommended? What's the story with blocking Sponsors in WHHLight, is this feature now obsolete?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
Hello everyone,
I installed WHHLight (I am new to this app) on top of Hard_Configurator, and I ended up a little confused: I did not see all the configuration options I was used to seeing in H_C. For instance, the list of blocked Sponsors. So I tried to run H_C, in order to see what is happening with the sponsors, and I got a message that I can run H_C only if I undo the blocking of admin processes. This blocking of admin processes seems to be a change introduced by the installation of WHHLight.
Am I doing something that is not recommended? What's the story with blocking Sponsors in WHHLight, is this feature now obsolete?

1712477263501.png


You have to choose which one to use. WHHLight is half H_C (with predefined settings) and half WDAC (with predefined policy).
If you want to use H_C then :
https://malwaretips.com/threads/whh...-for-windows-home-and-pro.128274/post-1081997
Next, apply H_C settings.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
So if I want to use WHHLight, can I install it on top of H_C, and then H_C/Tools/Uninstall Hard_Configurator ?

WHHLight automatically reverts the H_C settings (but not ConfigurDefender, DocumentsAntiexploit, and FirewallHardening) and applies a setup similar to Windows_10_Basic_Recommended_Settings.
If you want to use WHHLight, you can keep H_C files or uninstall H_C. But, do not use WHHLight and H_C together.
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
575
No.
I do not think that it is necessary at home. Windows 10+ uses its own policy for that. Furthermore, Microsoft Defender can do it via the ASR rule.

Sorry to press for more information on this, it's just that it made me curious, but could SRP policy be used to at least restrict in userspace? For example, adding driver file Type SYS:

Menu->SRP File Types->

WHHLSRP-Add Filetypes01.png

EDIT

of course I understand a malicious driver will probably *maybe* be installed via some kind of script which SRP protects against already.
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
of course I understand a malicious driver will probably *maybe* be installed via some kind of script which SRP protects against already.

SRP cannot effectively prevent the methods used in the wild to install drivers.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
When can we expect this update?

It is a plan. The NOS setting is very restrictive, so it currently blocks the WHHLight updates. I must decide between a few possibilities:
  1. Whitelist my digital certificate in WHHLight.
  2. Cooperate with Microsoft to allow whitelisting of the installer in ISG.
  3. Add the Update option.
  4. Skip the NOS setting in WHHLight.
  5. Add a similar setting in the WHH full version.
 
Last edited:
  • Like
Reactions: vtqhtr413

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,194
WHHLight vs. VenomRAT campaign (delivered via SVG attachment)


Attack flow (initial phase):
Phishing email with SVG attachment -------> user opens the SVG attachment -------> ZIP archive downloaded with embedded Batch script (BatCloak) -------> user opens the archive and runs the script -------> another Batch script is created and executed (ScrubCrypt) --------> two EXE payloads are decoded/dropped/executed -------> UAC bypass + VenomRat ------> .....

The default SWH settings block the attack (Batch scripts are blocked).

The attack could be also blocked at the later infection stage because the malware uses PowerShell method invocations and types blocked by Constrained Language Mode :[Text.encoding]::UTF8.getstring()
[System.Security.Cryptography.Aes]::Create()
[System.Reflection.Assembly]::Load()
New-Object System.IO.MemoryStream
New-Object System.IO.Compression.GzipStream


The full attack includes additional malicious plugins (NanoCore, XWorm, Remcos, Stealer):

1712700849088.png
 
Last edited:
Mar 10, 2024
460
WHHLight vs. VenomRAT campaign (delivered via SVG attachment)


Attack flow (initial phase):
Phishing email with SVG attachment -------> user opens the SVG attachment -------> ZIP archive downloaded with embedded Batch script (BatCloak) -------> user opens the archive and runs the script -------> another Batch script is created and executed (ScrubCrypt) --------> two EXE payloads are decoded/dropped/executed -------> UAC bypass + VenomRat ------> .....

The default SWH settings block the attack (Batch scripts are blocked).

The attack could be also blocked at the later infection stage because the malware uses PowerShell method invocations and types blocked by Constrained Language Mode :[Text.encoding]::UTF8.getstring()
[System.Security.Cryptography.Aes]::Create()
[System.Reflection.Assembly]::Load()
New-Object System.IO.MemoryStream
New-Object System.IO.Compression.GzipStream


The full attack includes additional malicious plugins (NanoCore, XWorm, Remcos, Stealer):

View attachment 282702
Phishing email with SVG attachment -------> users says "Nope"

User deletes email with SVG attachment

End of attack chain. 🤪
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top