Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Smart App Control is OFF.
When I click the copy a UAC popup appears.
There are no alerts.
I am using the latest Windows 11 version.

Does it mean that when you run the original (not copied) WHHLight there is no UAC prompt?
 
  • Like
Reactions: simmerskool

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Smart App Control is OFF.
Since all the MS "Smart" stuff sounds familiar (at least in some way for me) it looks like this for you?
Untitled4 - Copy.jpg
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
When I run the original there is a UAC prompt. Wherever the executable is.
I can see three possibilities:
  1. The WHHLight executable has got somehow a persistent positive reputation mark. On my computer, this is a case with ver. 1.0.0.8.
  2. Some other security interferes with WHHLight.
  3. The Windows built-in WDAC is spoiled in your system.
We can test the first possibility. Please download a very old H_C installer:

Do not run the file, but open its location in Explorer. Right-click on the file, choose Properties, tick the Unblock, and press OK.

1707667669438.png


Right-click on the file, again and choose Properties. You should see the file Properties without Unblock option:

1707667731062.png


Run the file H_C_2200(x64).exe. It should be blocked.

1707667906472.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
WHHLight vs. Raspberry Robin
(Smart App Control set to OFF)

https://malwaretips.com/threads/ras...ccess-to-windows-exploits.128932/post-1074940
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

The attack was dangerous due to exploiting the vulnerability that allows a local attacker to escalate privileges to SYSTEM (Local Privilege Escalation). The exploit was sold on Dark Web forums several months before Microsoft and CISA released an advisory on active exploitation.
But in this post, I focus on the initial phase of the attack to show how WHHLight could prevent the attack in the wild.

Attack flow:
1707770110306.png


Such attacks via EXE files can be blocked when < WDAC > = ON in WHHLight.
The OleView.exe is a benign executable so it will be allowed by SmartScreen and WDAC ISG. But, the malicious DLL side-loading can be blocked by WDAC ISG.

Edit.
It is worth mentioning that DLL hijacking (0-day malware) can be a challenge for Microsoft Defender, even in MAX settings. The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" does not cover this attack vector.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
WHHLight vs. Coyote Trojan
(Smart App Control set to OFF)




Attack flow:
1707831860301.png


The new aspects of the attack start after malicious DLL side-loading. The hashes of DLLs used in the attacks are included in the Securelist article. But, the initial malware (malicious Squirrel Installer) is skipped. Anyway, I found a few initial malware files on the VitusTotal:
9c6fc9e0854eaf5a0720caab1646f48c7992f6f4051438004598af89102a49eb
096d7765f278bb0de33fbfa0a15413a2432060d09c99f15c6ca900a6a8a46365
aedffb9cf780bb52c68586ceb238fcaf90253524f06a4a338edc6437409e51c5
3cbc282c6a51edff4e762267332e1ff2a503f7ba8a7b2a10c9ff404a7bda913b

All samples are unsigned and can be blocked by SmartScreen and WDAC ISG ( < WDAC > option must be set to ON).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
WHHLight vs. DarkMe (New SmartScreen bypass, patched in February 2024).
https://malwaretips.com/threads/dar...en-zero-day-vulnerability.128999/post-1075365
https://www.trendmicro.com/en_us/re...-targets-traders-with-windows-defender-s.html

The previous patch does not cover the attack when an Internet shortcut points to another Internet shortcut.

Attack flow:
Spearphishing link -----> Compromised Server with Internet_shortcut1 on WebDav share ---> Internet_shortcut1 points to another Internet_shortcut2 -----> Internet_shortcut2 downloads/runs CMD script -----> malicious DLL downloaded and executed by LOLBin (RunDll32) ----> DLL downloads and runs secondary payloads


The attack can be prevented/mitigated as follows:
  1. If < WDAC > is set to ON, the attack can be prevented because the WDAC policy in WHHLight blocks WebDav. Furthermore, any SmartScreen bypass based on skipping MOTW can only increase the WDAC ISG protection (ISG is more restrictive without the SmartScreen backend).
  2. WHHLight can fully mitigate this attack via SWH default settings (CMD script blocked).
  3. The attack can be fully mitigated by FirewallHardening (Recommended H_C settings), because the malicious DLL runs in the context of RunDLL32, and FirewallHardening settings block outbound connections of RunDLL32.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Whhlight seems to set Smartscreen to Warn. Any possible fixes for this issue?
Where is the issue? This is a default Windows setting, but applied as a system-wide Administrator policy. You can also choose the SmartScreen Block setting in WHHLight.
WHHLight only prevents the user from turning OFF the SmartScreen.
 
  • Like
Reactions: simmerskool
A

Azazel

In DefenderUI I set Smartscreen to user and reverts to warn.
Specifically everytime I launch whhlight.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Is it possible to allow "user" and not change it.
Such a possibility is disabled intentionally in WHHLight. The 'User' setting means that the application accepts the settings applied via Windows Security Center. So, it will also accept the OFF setting applied via Security Center. The OFF setting complicates the behavior of the WHHLight protection.
Why do you prefer the 'User' setting? Do you disable SmartScreen when using the computer?
 
  • Like
Reactions: simmerskool
A

Azazel

No, I do not disable smartscreen. But I like my system to be configurable through Windows Security Center.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
Such a possibility is disabled intentionally in WHHLight. The 'User' setting means that the application accepts the settings applied via Windows Security Center. So, it will also accept the OFF setting applied via Security Center. The OFF setting complicates the behavior of the WHHLight protection.
Why do you prefer the 'User' setting? Do you disable SmartScreen when using the computer?
The problem is that "warn" differs from "user" that was set by the high settings of ConfigureDefender, that causes some confusion.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top