Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Yeah, default whitelists. Is this kernel whitelist removed after a system restart? For me, slow application startup for non-Microsoft apps is slower after every boot.

The OK mark is not removed after the restart.
Which Defender settings do you use? Is there any difference with Defender default settings?

 

[Andy Ful]

@SeriousHoax,

Post updated and edited (10 February 2024).

I made some tests and confirmed, that in WHHLight the file on the NTFS drive can get the OK mark from WDAC ISG as follows:

1. The file is executed from the Non-writable location (like most folders in %ProgramFiles%) without SmartScreen backend and ISG reputation.
   The OK mark added in this scenario is only temporary. It can survive the Windows restart, but it is usually updated up to a few hours.
   Files from the writable but whitelisted folder (like user AppData) cannot get the OK mark when executed without the SmartScreen backend and ISG reputation.
2. The file is executed and established a positive reputation from ISG without SmartScreen backend.
3. The file is an application installer downloaded from the Internet (MOTW required), executed, and accepted by SmartScreen. SmartScreen for Explorer must be enabled.
4. An application installer (see point 3) writes the file to disk - the executed file inherits a positive reputation from the installer - SmartScreen for Explorer must be enabled.
5. The file with the OK mark is moved from one location to another (the OK mark is moved with the file). The target location can also be writable.

Files with the OK mark are not checked by the ISG for several hours (the local file execution cache is used).
In scenario 1 (no file reputation), the update of the OK mark is done against the cloud.
When the positive file reputation is established or inherited, the update of the OK mark is made locally (positive file reputation is stored in the kernel).

What it means?
Let's take a folder on the Desktop with a portable application initially blocked by WDAC ISG.
When we move that folder into %ProgramFiles% and execute the application, it will be allowed.
When we move the application folder from %ProgramFiles% back to the Desktop, the application will be allowed (also after Windows restart, but not for long).
The above procedure will not work if we use the writable & whitelisted folder instead of %ProgramFiles% (the application can be blocked in the Desktop subfolder).

If the user installed the application with < WDAC > = OFF, the application files did not get the OK mark, so ISG checks them on execution after enabling WDAC.
For most users, the first execution of applications (after Windows restart) will be checked by WDAC ISG. This can cause some slowdowns when the application cannot establish or inherit a positive reputation.

Edit
The above behavior is not a general WDAC feature and depends on the concrete settings I used in the policy file.

Edit (11 February 2024)
The info is related to the setup with Smart App Control set to OFF.

 

[Andy Ful]

I performed some additional tests and had to update my previous post. The most important changes are marked in blue.

 

[SeriousHoax]

@Andy Ful Sorry for not responding in time. I didn't notice the notification.
Regarding MD settings, at the time of testing, the changes from Configure Defender High settings were, Cloud Protection was Default, cloud timeout was 60 seconds, Block persistence through WMI event subscription & Block process creations originating from PSExec and WMI commands were on, Network Protection was off.
I see that you have discovered in your testing that the whitelist is removed after some hours. So that's how it is then. For me, even the UAC app prompt for whitelisted apps like HiBit Uninstaller Portable in my E drive were slow to come on the screen the first time after turning on the PC. So, delayed response + kind of slow animation of the UAC popup displaying. Me being very speed-sensitive, it annoys me and I realized that WDAC is probably not for me. It's not your fault, of course. ISG is designed to be very strict. The SWH part of WHH is as perfect as it has always been

 

[Andy Ful]

@Andy Ful Sorry for not responding in time. I didn't notice the notification.
Me being very speed-sensitive, it annoys me and I realized that WDAC is probably not for me.

Yes, that is the price of ISG.
It would be possible to avoid those slowdowns by applying the WDAC policy without ISG (like in WHHLight ver. 1.0.0.2). So, the reputation check would be done only when using 'Run By SmartScreen'.
For now, I am not sure if adding another WDAC policy (alongside the current one) is a good or not-so-good idea. We will see.

 

[Azazel]

I had whhlight on Super Safe for three days and hadn't blocked anything. How do I know its working?

 

[wat0114]

How do I know its working?

Create a batch file on the Desktop and try to launch it. WHHL should block it and log it in the Events for SRP.

 

[Azazel]

Create a batch file on the Desktop and try to launch it. WHHL should block it and log it in the Events for SRP.

I am using only WDAC

 

[wat0114]

There's a demo video of a Default WDAC ISG setup blocking a Windows app here:



Apparently it should block most portable applications attempting to launch from non-whitelisted folders.

 

[Andy Ful]

WHHLight vs. HijackLoader / IDAT Loader (attacks performed in Summer 2023)
(Smart App Control set to OFF)

https://malwaretips.com/threads/hij...he-latest-evasion-methods.128881/post-1074714
https://thehackernews.com/2024/02/hijackloader-evolves-researchers-decode.html
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

Such attacks were done against institutions and organizations in Italy (not against home users). Anyway they include interesting attack vectors.

Attack Flow (ClearFake)
Compromised website ----> browser fake update (APPX or EXE installer) ----> HijackLoader
https://blog.sekoia.io/clearfake-a-...s-landscape/#h-malware-delivered-by-clearfake
https://www.rapid7.com/blog/post/20...der-to-execute-stealc-and-lumma-infostealers/

Attack Flow (TA544)
https://yoroi.company/en/research/innovation-in-cyber-intrusions-the-evolution-of-ta544/

The first attack via the APPX file can be stopped by SWH default settings in WHHLight (AppInstaller is disabled, so APPX files are blocked).
All samples of HijackLoader were unsigned or with malformed certificates so that SmartScreen could block them (as 0-day malware).

In the second attack, the HijackLoader (Agenzia_Entrate_2023.exe) was loaded from the SMB share (no MOTW), so it is run without SmartScreen backend. As we know, this only triggers a more restrictive ISG check & block.
Finally, the second attack also uses the DLL hijacking method (properly signed legal EXE + DLL with malformed certificate) which can be blocked by WDAC ISG.

If I would like to bypass the WHHLight, then the attack should look like this:
Compromised website ---> fake update ---> HijackLoader (EXE or MSI file) properly signed with EV certificate
Next, the attacker should additionally convince the user to bypass the WDAC, by using 'Run By SmartScreen'.

 

[Andy Ful]

I had whhlight on Super Safe for three days and hadn't blocked anything. How do I know its working?

Open WHH_Tools from Desktop. Make a copy of WindowsHybridHardeningLight_1011 in the WHH_Tools folder, and execute the copied file.

 

[Azazel]

I was able to execute it. It wasn't blocked.

 

[Andy Ful]

I was able to execute it. It wasn't blocked.

So, you did something wrong. Do you have an empty WDAC Whitelist?

 

[Azazel]

So, you did something wrong. Do you have an empty WDAC Whitelist?

yes

 

[Andy Ful]

yes

What file did you execute?
What happens when you make a copy & execute on the Desktop?

 

[Azazel]

I made a copy of WindowsHybridHardeningLight_1011 both in program data and desktop, and both executed normally.

 

[Andy Ful]

I made a copy of WindowsHybridHardeningLight_1011 both in program data and desktop, and both executed normally.

Can you post here a screenshot of the WHHLight main window?
I assume that you made a copy, instead of moving the WindowsHybridHardeningLight_1011.exe to the new location.
Are there any alerts when running WHHLight?
Which Windows version do you use?

 

[Andy Ful]

@Azazel,

Is it possible that your Smart App Control (SAC) is not set to OFF? The method I suggested works only when SAC is OFF.
I mentioned the role of SAC in the help:

When SAC is not OFF then the WDAC protection is like in SAC (ON mode). All my applications are signed, so they will be allowed by SAC. In such a case you must find the unsigned application that can be blocked by SAC.

 

[Andy Ful]

I had to add a note (Smart App Control set to OFF) to some of my posts related to blocking/mitigating the attacks in-the-wild. The term "WDAC ISG" in my posts always means that on Windows 11 the assumed setup is with the Smart App Control is set to OFF.

 

[Azazel]

Smart App Control is OFF.
When I click the copy a UAC popup appears.
There are no alerts.
I am using the latest Windows 11 version.