Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Smart App Control is OFF.
When I click the copy a UAC popup appears.
There are no alerts.
I am using the latest Windows 11 version.

Does it mean that when you run the original (not copied) WHHLight there is no UAC prompt?

 

[Azazel]

When I run the original there is a UAC prompt. Wherever the executable is.

 

[Freki123]

Smart App Control is OFF.

Since all the MS "Smart" stuff sounds familiar (at least in some way for me) it looks like this for you?

 

[Azazel]

Since all the MS "Smart" stuff sounds familiar (at least in some way for me) it looks like this for you?
View attachment 281507

yes

 

[Andy Ful]

When I run the original there is a UAC prompt. Wherever the executable is.

I can see three possibilities:

1. The WHHLight executable has got somehow a persistent positive reputation mark. On my computer, this is a case with ver. 1.0.0.8.
2. Some other security interferes with WHHLight.
3. The Windows built-in WDAC is spoiled in your system.

We can test the first possibility. Please download a very old H_C installer:

https://github.com/AndyFul/Hard_Configurator---polska-wersja/raw/master/H_C_2200(x64).exe

Do not run the file, but open its location in Explorer. Right-click on the file, choose Properties, tick the Unblock, and press OK.

Right-click on the file, again and choose Properties. You should see the file Properties without Unblock option:

Run the file H_C_2200(x64).exe. It should be blocked.

 

[Azazel]

It was blocked by WDAC.

 

[Andy Ful]

It was blocked by WDAC.

That is OK.

 

[Azazel]

That is OK.

So it's working properly?

 

[Andy Ful]

So it's working properly?

Yes.

 

[Andy Ful]

WHHLight vs. Raspberry Robin
(Smart App Control set to OFF)
https://malwaretips.com/threads/ras...ccess-to-windows-exploits.128932/post-1074940
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

The attack was dangerous due to exploiting the vulnerability that allows a local attacker to escalate privileges to SYSTEM (Local Privilege Escalation). The exploit was sold on Dark Web forums several months before Microsoft and CISA released an advisory on active exploitation.
But in this post, I focus on the initial phase of the attack to show how WHHLight could prevent the attack in the wild.

Attack flow:

Such attacks via EXE files can be blocked when < WDAC > = ON in WHHLight.
The OleView.exe is a benign executable so it will be allowed by SmartScreen and WDAC ISG. But, the malicious DLL side-loading can be blocked by WDAC ISG.

Edit.
It is worth mentioning that DLL hijacking (0-day malware) can be a challenge for Microsoft Defender, even in MAX settings. The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" does not cover this attack vector.

 

[Andy Ful]

WHHLight vs. Coyote Trojan
(Smart App Control set to OFF)

Malware News - New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack

Sixty-one banking institutions, all of them originating from Brazil, are the target of a new banking trojan called Coyote. "This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to...

malwaretips.com

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil.

securelist.com

Attack flow:

The new aspects of the attack start after malicious DLL side-loading. The hashes of DLLs used in the attacks are included in the Securelist article. But, the initial malware (malicious Squirrel Installer) is skipped. Anyway, I found a few initial malware files on the VitusTotal:
9c6fc9e0854eaf5a0720caab1646f48c7992f6f4051438004598af89102a49eb
096d7765f278bb0de33fbfa0a15413a2432060d09c99f15c6ca900a6a8a46365
aedffb9cf780bb52c68586ceb238fcaf90253524f06a4a338edc6437409e51c5
3cbc282c6a51edff4e762267332e1ff2a503f7ba8a7b2a10c9ff404a7bda913b

All samples are unsigned and can be blocked by SmartScreen and WDAC ISG ( < WDAC > option must be set to ON).

 

[Azazel]

Whhlight seems to set Smartscreen to Warn. Any possible fixes for this issue?

 

[Andy Ful]

WHHLight vs. DarkMe (New SmartScreen bypass, patched in February 2024).
https://malwaretips.com/threads/dar...en-zero-day-vulnerability.128999/post-1075365
https://www.trendmicro.com/en_us/re...-targets-traders-with-windows-defender-s.html

The previous patch does not cover the attack when an Internet shortcut points to another Internet shortcut.

Attack flow:
Spearphishing link -----> Compromised Server with Internet_shortcut1 on WebDav share ---> Internet_shortcut1 points to another Internet_shortcut2 -----> Internet_shortcut2 downloads/runs CMD script -----> malicious DLL downloaded and executed by LOLBin (RunDll32) ----> DLL downloads and runs secondary payloads

The attack can be prevented/mitigated as follows:

1. If < WDAC > is set to ON, the attack can be prevented because the WDAC policy in WHHLight blocks WebDav. Furthermore, any SmartScreen bypass based on skipping MOTW can only increase the WDAC ISG protection (ISG is more restrictive without the SmartScreen backend).
2. WHHLight can fully mitigate this attack via SWH default settings (CMD script blocked).
3. The attack can be fully mitigated by FirewallHardening (Recommended H_C settings), because the malicious DLL runs in the context of RunDLL32, and FirewallHardening settings block outbound connections of RunDLL32.

 

[Andy Ful]

Whhlight seems to set Smartscreen to Warn. Any possible fixes for this issue?

Where is the issue? This is a default Windows setting, but applied as a system-wide Administrator policy. You can also choose the SmartScreen Block setting in WHHLight.
WHHLight only prevents the user from turning OFF the SmartScreen.

 

[Azazel]

In DefenderUI I set Smartscreen to user and reverts to warn.
Specifically everytime I launch whhlight.

 

[Andy Ful]

In DefenderUI I set Smartscreen to user and reverts to warn.

So do not change the "Warn" setting and everything will be OK.

 

[Azazel]

Is it possible to allow "user" and not change it.

 

[Andy Ful]

Is it possible to allow "user" and not change it.

Such a possibility is disabled intentionally in WHHLight. The 'User' setting means that the application accepts the settings applied via Windows Security Center. So, it will also accept the OFF setting applied via Security Center. The OFF setting complicates the behavior of the WHHLight protection.
Why do you prefer the 'User' setting? Do you disable SmartScreen when using the computer?

 

[Azazel]

No, I do not disable smartscreen. But I like my system to be configurable through Windows Security Center.

 

[Gandalf_The_Grey]

Such a possibility is disabled intentionally in WHHLight. The 'User' setting means that the application accepts the settings applied via Windows Security Center. So, it will also accept the OFF setting applied via Security Center. The OFF setting complicates the behavior of the WHHLight protection.
Why do you prefer the 'User' setting? Do you disable SmartScreen when using the computer?

The problem is that "warn" differs from "user" that was set by the high settings of ConfigureDefender, that causes some confusion.