Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Thanks for this explanation, I will remove it from the whitelist. I had not realized this. It is a simple application to print restaurant menu's. It stores the user preferences in an ini file (old school Windows 3.1 like) but those settings are set and forget.

Could you explain why you choose to enabled the SRP settings also for admins?

In WHHLight the EXE/MSI files are ignored by SRP (with some exceptions for email clients and archiver apps).
When EXE/MSI files are allowed in SRP, the enforcement can be applied safely also for Administrators.

 

[LennyFox]

In WHHLight the EXE/MSI files are ignored by SRP (with some exceptions for email clients and archiver apps).
When EXE/MSI files are allowed in SRP, the enforcement can be applied safely also for Administrators.

Thanks, so Windows itself does not use ps1 or cmd scripts itself anymore

I looked the SRP rules up in the registry and I noticed you added a lot of rules to block executables of archiver apps and some unknown applications (but I guess they are email clients). Smart trick to add them so many subfolders deep. By applying the rules also for admins, these threat gates are hard locked

 

[pxxb1]

https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening

View attachment 281617

Well, i saw that but thought that meant that thoose 2 programs where "in" H_C. Which leads me back to my initial thought about your Github site being a Home site for the products. If anyone of them is a standalone program they should be at the head page together with the rest of the standalone programs and not buried like this. There is not much info about SWH and WHHL at the shown page above so it sort of vanishes in the general info about H_C. Info that in any case would good.

 

[Andy Ful]

There is not much info about SWH and WHHL at the shown page above so it sort of vanishes in the general info about H_C. Info that in any case would good.

I know.

 

[LennyFox]

@Andy Ful

WHHL adds a very strong layer of security on user (writable) folders, while it is still posiible to use a third-party anti-virus. Since all infections start from user land. I was thinking ....

Assuming that this Microsoft ISG-Smartscreen cloud backend is fed with the data from the users running Malware Defender, it should be wiser to use an antivirus from another big player in the AV (e.g. Norton/Avira/BullGuard/Avast/AVG) as third-party Antivirus) because the number of endpoints providing infection data would be larger.

When I recall correctly a bigger observed population results in a more reliable prediction in statistics. This means that the chance of False Negatives would be smaller by using WHHL with another big player (with a large user base). I realize that the relation population size with prediction reliability is not lineair but parabolic, so it may only gain a few percent or tenths of a percent. But the difficulty of security is to close the last percent (or tenths of percent), so even a small gain is a benefit.

Is my assumption correct?

 

[Kuttz]

Thank you for sharing information about Windows Hybrid Hardening Light (WHHLight) version 1.0.1.0. WHHLight is a simplified configurator of Windows built-in application control features that works on Windows 10 and 11 to support antivirus and prevent malware.

WHHLight combines three key security layers: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). These features provide comprehensive protection against various attack vectors. Once WHHLight is configured, it can be closed, and all protection comes from the Windows built-in features, eliminating the need for Microsoft Defender.

SRP is particularly effective in preventing attacks via scripts, shortcuts, and other files with active content, making it an ideal solution for home environments. On the other hand, WDAC offers robust protection against malicious executable (EXE), dynamic-link library (DLL), and Windows Installer (MSI) files.

In addition to these features, WHHLight also includes tools like DocumentsAntiExploit, FirewallHardening, and ConfigureDefender, which can be used to configure post-exploitation mitigations for vulnerable applications such as Microsoft Office and Adobe Acrobat Reader. However, please note that the ConfigureDefender tool requires Microsoft Defender real-time protection to be enabled.

You have also provided several videos demonstrating the usage and benefits of WHHLight. These videos showcase the features and functionality of WHHLight, making it easier for users to understand its capabilities.

Overall, WHHLight seems to be a powerful tool for enhancing the security of Windows systems, especially in home environments. It combines multiple built-in security features and provides additional tools for mitigating post-exploitation risks.

Sounds boring Mr.Bot. Other than rephrasing words said by others, try to bring something new to the discussion. If Mr. Bot cannot bring anything new, at-least, please learn to stop commenting!

 

[Azazel]

Do you think Whhlight (Super Safe Setup - No Whitelisted Items) can protect better than cyberlock?

 

[Andy Ful]

@Andy Ful

Assuming that this Microsoft ISG-Smartscreen cloud backend is fed with the data from the users running Malware Defender, it should be wiser to use an antivirus from another big player in the AV (e.g. Norton/Avira/BullGuard/Avast/AVG) as third-party Antivirus) because the number of endpoints providing infection data would be larger.

When I recall correctly a bigger observed population results in a more reliable prediction in statistics. This means that the chance of False Negatives would be smaller by using WHHL with another big player (with a large user base). I realize that the relation population size with prediction reliability is not lineair but parabolic, so it may only gain a few percent or tenths of a percent. But the difficulty of security is to close the last percent (or tenths of percent), so even a small gain is a benefit.

Is my assumption correct?

SmartScreen is mostly based on users' reputations. If the file is unknown to the Microsoft cloud, it is blocked. So the malware monitored by another AV but unknown to Microsoft is still blocked by SmartScreen. If one respects SmartScreen, then there is no gain in using another AV.

 

[Andy Ful]

Do you think Whhlight (Super Safe Setup - No Whitelisted Items) can protect better than cyberlock?

Both solutions can add much to the users' security. The definition of better can mean different things to different users. Finally, I do not know much about CyberLock, so I cannot answer your question. I would like to keep the discussion on WHHLight, because there is no reliable data to make comparisons.

 

[LennyFox]

SmartScreen is mostly based on users' reputations. If the file is unknown to the Microsoft cloud, it is blocked. So the malware monitored by another AV but unknown to Microsoft is still blocked by SmartScreen. If one respects SmartScreen, then there is no gain in using another AV.

OK, I will ask malware to respect Smartscreen also and not perform staged attacks without setting the MOTW on the payloads

Luckily WHHL has given Windows superpowers with WDAC-ISG and SRP

 

[Andy Ful]

OK, I will ask malware to respect Smartscreen also and not perform staged attacks without setting the MOTW on the payloads

The first is mostly true at home. The second is true in the wild.
Furthermore, if the malware tries to bypass SmartScreen (like recent bypasses related to MOTW) it is trapped by even more restrictive ISG.

 

[Andy Ful]

WHHLight vs. Bumblebee phishing campaign (observed in February 2024)
https://malwaretips.com/threads/bum...h-new-tricks-targeting-u-s-businesses.129006/
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black

The targets of that campaign were businesses in the U.S. The Word documents used in the attacks spoofed the consumer electronics company Humane.

Attack flow:
phishing email with OneDrive URL ----> MS Word document with macro ----> macro creates/executes the VBScript ----> the script executes PowerShell CmdLine ----> CmdLine downloads & executes the second PowerShell CmdLine ----> Bumblebee DLL payload downloaded & executed (via RunDll LOLBin)

WHHLight package contains the DocumentsAntiExploit tool that is recommended for hardening MS Office and Adobe Acrobat applications. The applied settings block macros and some other features usually abused by the attackers.
But in this thread, I will show how the WHHLight SWH settings can also prevent the attack.

1. One of the SWH restrictions is blocking Windows Script Host (except whitelisted scripts), so the VBScript file created by the macro is also blocked.
2. Independently of point 1, both PowerShell CmdLines are restricted by Constrained Language Mode (the download method is blocked).

The attack can be also prevented by the FirewallHardening settings (blocked PowerShell outbound connections).

 

[Andy Ful]

WHHLight vs. PrivateLoader

PrivateLoader is an example of Pay-Per-Install (PPI) malware service. In some campaigns it is used as initial malware, in others it is delivered as a payload.

The realm of cybersecurity is perpetually challenged by the evolution and sophistication of cyber threats, among which the Pay-Per-Install (PPI) malware services stand as a significant and enduring component. These services, deeply entrenched in the cybercrime ecosystem, have streamlined the monetization of malicious software installations, posing a persistent threat to digital security. This report delves into the intricate workings of such a service, with a particular focus on the technical analysis of PrivateLoader, a notable player in this nefarious field.

Pay-Per-Install services operate on a simple yet effective business model: a malware operator provides the service operator with a payload, a specified number of installations, and targeted geographical locations. The service operators, in turn, are tasked with the distribution of the malware, adhering to the customer’s specifications.

PrivateLoader as a RiseProStealer Dropper Technical Analysis – Brandefense

This report aims to provide a comprehensive technical analysis of PrivateLoader, exploring its operational mechanisms, distribution strategies, and the broader implications of its activities within the cybercrime ecosystem.

brandefense.io

The hashes of PrivateLoader samples can be found in some articles and known malware repositories:
https://www.bitsight.com/blog/unvei...se-new-proxy-service-privateloader-and-amadey
https://1275.ru/ioc/683/privateloader-iocs/

An example of a simple attack flow:
https://brandefense.io/blog/ransomware/privateloader-as-a-riseprostealer-dropper-technical-analysis/

A complex attack flow (Glupteba campaign):
https://malwaretips.com/threads/glu...undocumented-uefi-bootkit.128984/post-1075238
https://thehackernews.com/2024/02/glupteba-botnet-evades-detection-with.html

I analyzed over three hundred PrivateLoader samples. Almost all samples were unsigned or signed with fake certificates (blocked by SmartScreen). One old sample (from the year 2021) is allowed by SmartScreen (probably an adware downloader):
https://www.virustotal.com/gui/file...778ed0deec5ce48808826ae2210b846398a/detection

The results are similar to the results of GuLoader noted in my previous post:
https://malwaretips.com/threads/whh...-for-windows-home-and-pro.128274/post-1075857

Edit.
A few interesting articles related to PrivateLoader:
https://www.esentire.com/blog/fake-...mmac-stealer-amadey-and-privateloader-malware
https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
https://intel471.com/blog/privateloader-malware
https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise

 

[Andy Ful]

WHHLight vs. DBatLoader

https://www.zscaler.com/blogs/secur...buting-malwares-targeting-european-businesses
https://securityintelligence.com/x-...age-updated-dbatloader-deliver-rats-stealers/

The importance of malware loaders is nicely described as follows:

If you are doing cyber threat research on the internet, chances are you will find a ton of papers documenting malicious RATs, APTs and state-sponsored campaigns. It is indeed interesting (and it makes cyber security folks feel like James Bond), but sadly little attention is given to what makes most of the threat landscape: the packers, droppers and other downloaders at the front of the infection chain. They may be less sophisticated, but it is what the user first encounters, and what makes most of the threat landscape.

The truth is, if an antivirus successfully detects and blocks an advanced RAT on a system, it means that it already failed and that the system is compromised, because advanced RAT are at the end of the infection chain.

https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/

When inspecting one of the well-known malware repositories, I recently noticed many DBatLoader samples. A short note about the related phishing campaign can be found on the Italian webpage (translated into English):
https://www.imagetechsrl.com/298/malware-aziende-sicurezza-informatica

Attack flow (1):

Attack flow (2):

I checked 100 recent DBatLoader samples. All were unsigned and blocked by SmartScreen except for one. When the samples were executed without MotW, they were blocked by WDAC ISG.
The signed sample has a reputable certificate (allowed by SmartScreen) - it is most probably a benign application (Extreme Picture Finder):

VirusTotal

VirusTotal

www.virustotal.com

 

[Andy Ful]

WHHLight vs. DarkGate

When inspecting the samples recently uploaded to the well-known malware repository, I noticed a few signed samples of DarkGate. Generally, between July 2023 and February 2024, most DarkGate samples were unsigned, except for about 10% of samples signed with highly reputable EV certificates. Those samples are interesting because the malware with an EV certificate can bypass SmartScreen. Home users are not the targets of DarkGate, but such an attack vector can show some aspects of WDAC ISG.
I am not sure what was the exact infection flow, so I assumed the attack vector which can be a challenge for WHHLight. It is described as follows (last known campaign from October 2023):

In the past month, the Netskope Threat Labs team observed a considerable increase of SharePoint usage to deliver malware caused by an attack campaign abusing Microsoft Teams and SharePoint to deliver a malware named DarkGate.

DarkGate (also known as MehCrypter) is a malware that was first reported by enSilo (now Fortinet) in 2018 and has been used in multiple campaigns in the past months. Since its recent update announcement in an underground forum, several campaigns have been conducted to deliver the malware using different methods, such as phishing and SEO poisoning.

DarkGate appeals to many attackers because of its broad feature set, which includes HVNC, keylogging, information stealing, and downloading and executing other payloads. DarkGate can be used as a starting point for bigger attacks, including Ransomware infections.

https://www.netskope.com/blog/new-darkgate-variant-uses-a-new-loading-approach

Attack flow (slightly shortened):
Phishing or SEO poisoning ----> EXE or MSI file with EV certificate ----> legal EXE + malicious DLL dropped/executed (DLL hijacking) ---> legal Autoit.exe + Autoit script executed ----> DarkGate payload

https://www.virustotal.com/gui/file/5f3ab1889a15e561d15e919df803f26ed3c7c76850893768e143dff7d5d96e69
https://www.virustotal.com/gui/file/edb20f1e3fb92954b89c8158e58bd012b4d256082ec5b01767474e3731350da5
https://www.virustotal.com/gui/file/3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
https://www.virustotal.com/gui/file/693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

The EV-signed EXE/MSI samples were executed with MotW and were allowed by SmartScreen (no SmartScreen alert), but blocked by WDAC ISG.
Fortunately, ISG (with SmartScreen backend) does not blindly pass by the malware signed with an EV certificate.

 

[Freki123]

@Andy Ful Atm I'm testing your new WHHlight. I can say that I really like it and so far haven't encountered any problems. Thanks for giving casuals the option for SRP and WDAC without getting into any heavy GPO setting sprees.

So far the only thing confusing me are the "three lines" that do nothing when I click on them. Coming from Firefox I see "three lines" I click them and expect a menu with option
That being said thanks a lot for all of your time/help and software you are sharing with us

 

[Andy Ful]

@Andy Ful Atm I'm testing your new WHHlight. I can say that I really like it and so far haven't encountered any problems. Thanks for giving casuals the option for SRP and WDAC without getting into any heavy GPO setting sprees.

So far the only thing confusing me are the "three lines" that do nothing when I click on them. Coming from Firefox I see "three lines" I click them and expect a menu with option
That being said thanks a lot for all of your time/help and software you are sharing with us

View attachment 281790

They are only to make the GUI more intriguing.
But seriously, WHHLight uses a modified MetroGUI:

MetroGUI UDF v5.1 - Windows 10 style buttons, toggles, radios, menu etc.

Features: Create modern looking borderless and resizable GUIs with control buttons (Close,Maximize/Restore,Minimize, Fullscreen, Menu) True borderless, resizeable GUI with full support for aerosnap etc. Many color schemes/themes included. See MetroThemes.au3 for more details. 3 type of Windows 8/...

www.autoitscript.com

I modified the code, so the default menu (three lines) is disabled.

 

[Freki123]

Thanks for the answer. Now I learned something about MetroGUI UDF

 

[Andy Ful]

WHHLight vs. Banking trojan campaign (Astaroth, Mekotio & Ousaban abusing Google Cloud Run)
https://malwaretips.com/threads/ban...a-and-europe-through-google-cloud-run.129252/
https://blog.talosintelligence.com/google-cloud-run-abuse/

What is Google Cloud Run?​

Google Cloud Run is a service provided by Google that enables customers to build and deploy web services located in Google Cloud. They currently offer $300 in free credits for new Google accounts and two million free web requests per month.

Attack flow (1):
phishing email ----> Google Cloud Run ----> malware (MSI file) ----> JScript download payloads (via Bitsadmin LOLBin) -----> banking trojan

Attack flow (2):
phishing email ----> Google Cloud Run ----> malware (MSI file) ----> banking trojan

The second article includes the malware hashes. I checked them (MSI files) on VT (4 available) - all were unsigned.
SmartScreen blocks such malware samples (MSI file downloaded with MotW) due to low prevalence among users. If the file is downloaded without MotW it can be blocked by WDAC ISG. Two samples can be found on Any.Run. I downloaded them and confirmed the blocks.
The first attack can be also mitigated by default SWH settings (JScript blocked) and by FirewallHardening settings (Bitsadmin LOLBin blocked).

 

[Andy Ful]

WHHLight vs. Python-based Snake Info Stealer
https://malwaretips.com/threads/new...through-facebook-messages.129411/post-1078071
https://www.cybereason.com/blog/unboxing-snake-python-infostealer-lurking-through-messaging-service

Attack Flow (1):
Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (BAT/CMD/VBS script) ----> script uses LOLBins (CURL/PowerShell) to download/install/execute secondary payloads or (and) Python-based malware

Such attacks cannot be a challenge for WHHLight, because they use Windows scripts that are blocked by the default SWH settings.
Even without blocking scripts, the attack can be prevented by FirewallHardening (outbound connections of CURL/PowerShell would be blocked).

Attack Flow (2):
Facebook message ----> archive downloaded (RAR/ZIP) ----> user opens archive and executes the content (malicious MSI loader) ---->
the loader downloads/installs/executes secondary payloads or (and) Python-based malware

If the user tries to execute the archive content without unpacking, the default SWH settings will block the execution of the MSI loader.
If the archive is first unpacked by Windows build-in unpacker and then the MSI loader is executed, the file can be blocked by SmartScreen.
If the user unpacks the archive by using 3rd part unpacker that skips MotW, then the attack can be prevented when using RunBySmartscreen or activating WDAC in WHHLight.

The second attack could be a challenge for WHHLight only in some targeted attacks when the attacker would use a highly reputable certificate. In such a case the protection can be applied via the AV, and WHHLight restrictions can mitigate the later stages of the attack if Windows scripts or advanced PowerShell CmdLines are used.