Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

L

LennyFox

Level 7
Jan 18, 2024
314
@Andy Ful I have two questions about Windows Hybrid Hardening

1. When SRP would be depreciated(rumors say with Windows12), would you consider adding hardening in WHHL using AppLocker to deny standard users running scripts?

2.Would you consider adding the option to define allow exceptions based on signature (like the WDAC wizzard offers) in WHHF (WHHFull)?
 
  • Like
Reactions: oldschool, Andy Ful, vtqhtr413 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
LennyFox said:
@Andy Ful I have two questions about Windows Hybrid Hardening

1. When SRP would be depreciated(rumors say with Windows12), would you consider adding hardening in WHHL using AppLocker to deny standard users running scripts?
Click to expand...

Maybe, anyway not AppLocker but rather WDAC (Administrators will be also restricted). But, we will see - the AppLocker option is also possible.
I am not sure what kind of hardening will be useful on Windows 12.

LennyFox said:
2.Would you consider adding the option to define allow exceptions based on signature (like the WDAC wizzard offers) in WHHF (WHHFull)?
Click to expand...

Probably not. It would be easy to add such an option on Windows Pro (with PowerShell), but too complicated on Windows Home.
 
Last edited:
  • Like
  • Thanks
Reactions: oldschool, vtqhtr413 and LennyFox
Pat MacKnife

Pat MacKnife

Level 15
Verified
Top Poster
Well-known
Jul 14, 2015
734
Is there a way to uninstall (delete) WHH (SWH and Wdac)? i would like to use only the Firewall hardening for now.
Edit: deleting WHH in programdata seems the way . . .
 
Last edited:
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
Pat MacKnife said:
Is there a way to uninstall (delete) WHH (SWH and Wdac)? i would like to use only the Firewall hardening for now.
Edit: deleting WHH in programdata seems the way . . .
Click to expand...

Use the "Restore Windows Defaults" before deleting the WindowsHybridHardeningLight_1011 executable.
 
  • Like
  • Thanks
Reactions: vtqhtr413, Gandalf_The_Grey, Digmor Crusher and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hello everyone,
I installed WHHLight (I am new to this app) on top of Hard_Configurator, and I ended up a little confused: I did not see all the configuration options I was used to seeing in H_C. For instance, the list of blocked Sponsors. So I tried to run H_C, in order to see what is happening with the sponsors, and I got a message that I can run H_C only if I undo the blocking of admin processes. This blocking of admin processes seems to be a change introduced by the installation of WHHLight.
Am I doing something that is not recommended? What's the story with blocking Sponsors in WHHLight, is this feature now obsolete?
 
  • Like
Reactions: vtqhtr413 and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
shmu26 said:
Hello everyone,
I installed WHHLight (I am new to this app) on top of Hard_Configurator, and I ended up a little confused: I did not see all the configuration options I was used to seeing in H_C. For instance, the list of blocked Sponsors. So I tried to run H_C, in order to see what is happening with the sponsors, and I got a message that I can run H_C only if I undo the blocking of admin processes. This blocking of admin processes seems to be a change introduced by the installation of WHHLight.
Am I doing something that is not recommended? What's the story with blocking Sponsors in WHHLight, is this feature now obsolete?
Click to expand...

1712477263501.png


You have to choose which one to use. WHHLight is half H_C (with predefined settings) and half WDAC (with predefined policy).
If you want to use H_C then :
https://malwaretips.com/threads/whh...-for-windows-home-and-pro.128274/post-1081997
Next, apply H_C settings.
 
  • Like
  • +Reputation
Reactions: vtqhtr413, ErzCrz and shmu26
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
  • Like
Reactions: vtqhtr413 and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
shmu26 said:
So if I want to use WHHLight, can I install it on top of H_C, and then H_C/Tools/Uninstall Hard_Configurator ?
Click to expand...

WHHLight automatically reverts the H_C settings (but not ConfigurDefender, DocumentsAntiexploit, and FirewallHardening) and applies a setup similar to Windows_10_Basic_Recommended_Settings.
If you want to use WHHLight, you can keep H_C files or uninstall H_C. But, do not use WHHLight and H_C together.
 
  • Like
Reactions: vtqhtr413, shmu26 and jerzy601
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
574
Andy Ful said:
No.
I do not think that it is necessary at home. Windows 10+ uses its own policy for that. Furthermore, Microsoft Defender can do it via the ASR rule.
Click to expand...

Sorry to press for more information on this, it's just that it made me curious, but could SRP policy be used to at least restrict in userspace? For example, adding driver file Type SYS:

Menu->SRP File Types->

WHHLSRP-Add Filetypes01.png

EDIT

of course I understand a malicious driver will probably *maybe* be installed via some kind of script which SRP protects against already.
 
Last edited:
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
wat0114 said:
of course I understand a malicious driver will probably *maybe* be installed via some kind of script which SRP protects against already.
Click to expand...

SRP cannot effectively prevent the methods used in the wild to install drivers.
 
  • Like
  • Thanks
Reactions: vtqhtr413 and wat0114
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
Azazel said:
When can we expect this update?
Click to expand...

It is a plan. The NOS setting is very restrictive, so it currently blocks the WHHLight updates. I must decide between a few possibilities:
  1. Whitelist my digital certificate in WHHLight.
  2. Cooperate with Microsoft to allow whitelisting of the installer in ISG.
  3. Add the Update option.
  4. Skip the NOS setting in WHHLight.
  5. Add a similar setting in the WHH full version.
 
Last edited:
  • Like
Reactions: vtqhtr413
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,154
WHHLight vs. VenomRAT campaign (delivered via SVG attachment)

malwaretips.com

Scams & Phishing News - Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector...
malwaretips.com malwaretips.com
thehackernews.com

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity experts uncover a sophisticated multi-stage attack! 🛡️ Malware including Venom RAT, Remcos RAT, and more deployed via invoice-themed ph
thehackernews.com thehackernews.com

Attack flow (initial phase):
Phishing email with SVG attachment -------> user opens the SVG attachment -------> ZIP archive downloaded with embedded Batch script (BatCloak) -------> user opens the archive and runs the script -------> another Batch script is created and executed (ScrubCrypt) --------> two EXE payloads are decoded/dropped/executed -------> UAC bypass + VenomRat ------> .....

The default SWH settings block the attack (Batch scripts are blocked).
The attack could be also blocked at the later infection stage because the malware uses PowerShell method invocations and types blocked by Constrained Language Mode :[Text.encoding]::UTF8.getstring()
[System.Security.Cryptography.Aes]::Create()
[System.Reflection.Assembly]::Load()
New-Object System.IO.MemoryStream
New-Object System.IO.Compression.GzipStream


The full attack includes additional malicious plugins (NanoCore, XWorm, Remcos, Stealer):

1712700849088.png
 
Last edited:
  • Like
  • +Reputation
Reactions: vtqhtr413, toto_10, Gandalf_The_Grey and 4 others
Practical Response

Practical Response

Level 8
Mar 10, 2024
359
Andy Ful said:
WHHLight vs. VenomRAT campaign (delivered via SVG attachment)

malwaretips.com

Scams & Phishing News - Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets. The email messages come with Scalable Vector...
malwaretips.com malwaretips.com
thehackernews.com

Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing

Cybersecurity experts uncover a sophisticated multi-stage attack! 🛡️ Malware including Venom RAT, Remcos RAT, and more deployed via invoice-themed ph
thehackernews.com thehackernews.com

Attack flow (initial phase):
Phishing email with SVG attachment -------> user opens the SVG attachment -------> ZIP archive downloaded with embedded Batch script (BatCloak) -------> user opens the archive and runs the script -------> another Batch script is created and executed (ScrubCrypt) --------> two EXE payloads are decoded/dropped/executed -------> UAC bypass + VenomRat ------> .....

The default SWH settings block the attack (Batch scripts are blocked).
The attack could be also blocked at the later infection stage because the malware uses PowerShell method invocations and types blocked by Constrained Language Mode :[Text.encoding]::UTF8.getstring()
[System.Security.Cryptography.Aes]::Create()
[System.Reflection.Assembly]::Load()
New-Object System.IO.MemoryStream
New-Object System.IO.Compression.GzipStream


The full attack includes additional malicious plugins (NanoCore, XWorm, Remcos, Stealer):

View attachment 282702
Click to expand...
Phishing email with SVG attachment -------> users says "Nope"

User deletes email with SVG attachment

End of attack chain. 🤪
 
  • Like
  • Hundred Points
Reactions: toto_10, harlan4096 and Trident

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,197
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
521
General Security Discussions
Andy Ful
Andy Ful
SpyNetGirl
    • +Reputation
    • Like
    • Hundred Points
New Update Advanced Windows hardening with WDAC - Windows Defender Application Control
Replies
50
Views
6,288
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top