Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

Phishing email with SVG attachment -------> users says "Nope"

User deletes email with SVG attachment

End of attack chain.

Phishing email ---> User deletes email ----> END

The problem is that most computer users will open the attachment - they do not bother to learn or develop safe habits. They even do not know the term "phishing email".
You probably think that people should learn something about security. But sadly, most people will not bother.

Post edited.

 

[ForgottenSeer 109138]

Phishing email ---> User deletes email ----> END

The problem is that most computer users will open the attachment - they do not bother to learn or develop safe habits. They even do not know the term phishing.

The problem that's persistent is when users in forums like this try to teach them, enthusiast jump in pound the living day lights out of thread and bury good advice they can learn from.

How much simpler would it be to teach users how to be "aware".

Literally the user has to interact with this twice to initiate the infection " the very essence of social engineering".

Even grandmas and Grandpa's are starting to learn MS is not going to call them to state they found an infection in their system, or that prince in Nigeria is not really going to give them free money. They are seeing these type of scams now in current movies, in the news, made public, for them to learn by.

This one is classic example that could be used to state the not so obvious for some.

 

[Trident]

Even grandmas and Grandpa's are starting to learn MS is not going to call them to state they found an infection in their system

They are seeing these type of scams now in current movies

Very nice scam-themed movie with Jason Statham

 

[Trident]

User isn't thinking clearly and opens the attachment

More is needed than opening the attachment, the attachment advises users to download a password-protected (in the case of APT29) archive. I was looking to find out how this archive is magically dropped, unpacked and content is ran as SVG default handler is your default browser, which will most likely be a chromium-based solution. Turns out it is not!

User then needs to unpack the archive and run a weird script which initiates a whole billion-step attack. This highly fragmented attack can be prevented in many ways:

• Of course, with H_C or similar solution that prevents certain LOLBins from executing. In my case, the bat and vbs will fail to run.
• By refusing to look at this “invoice” as the email definitely won’t be the monthly email you get from your ISP or whatever
• By using sophisticated behavioural blocking as no AMSI bypass stage is implemented (according to the infection chain graphic). The whole execution process is extremely anomalous.
• By using software with threat emulation

 

[NormanF]

Could you package it as a Windows installer that writes to the Program Folder? It would be convenient to pin the Hardening Configurator to the Windows taskbar or Start Menu.

 

[Andy Ful]

Could you package it as a Windows installer that writes to the Program Folder? It would be convenient to pin the Hardening Configurator to the Windows taskbar or Start Menu.

I could but I intentionally did not. WHHLight is intended for Home Administrators, to protect the computers of average home users. So, the WHHLight location is not in the standard places. After configuration, the Administrator can simply remove the WHHLight shortcut from the Desktop, so the home user is not aware of what protection is applied.
Anyway, you can always move the WHHLight shortcut from the Desktop to the Program Folder.

 

[Morro]

For reasons that take too long to explain here, I had to change my security setup. It was a pain in the but doing that, and let's just say that March 2025 can not come soon enough. (At that time I can return to using SpyNetGirls Hardening guide again.)

Either way, I ended Trying WHHLight the past few days together with at first Kaspersky Free, and although very good Kaspersky did slow down a few things. So today I ended up installing BitDefender TS. But I forgot I also have WHHLight on my disk and I had activated SWH+Smartscreen Block+WDAC. Would it cause issues if I keep those active, or should I either deactivate some, or simple restore the default settings through WHHLight?

 

[ForgottenSeer 107474]

For reasons that take too long to explain here, I had to change my security setup. It was a pain in the but doing that, and let's just say that March 2025 can not come soon enough. (At that time I can return to using SpyNetGirls Hardening guide again.)

Either way, I ended Trying WHHLight the past few days together with at first Kaspersky Free, and although very good Kaspersky did slow down a few things. So today I ended up installing BitDefender TS. But I forgot I also have WHHLight on my disk and I had activated SWH+Smartscreen Block+WDAC. Would it cause issues if I keep those active, or should I either deactivate some, or simple restore the default settings through WHHLight?

When WHLL allowed install, it will also most likely also allow updates of Bitdefender TS. Although not exactly the same, but I have ran Bitdefender free with WHHL without problems.

The security mechanisms which are enabled by WHHL were designed to run with third-party antivirus

 

[NormanF]

WHHLight essentially does the same thing as Cyberlock and NoVirusThanks OSArmor. It hardens Windows via native settings to stop malware conventional AV and antimalware solutions can't always detect - like ransomware and zero day threats.

Its a good complement to them on your PC.

 

[Digmor Crusher]

Does Cyberlock use native Windows settings?

 

[Morro]

Thank you LennyFox and NormanF.

 

[Andy Ful]

Does Cyberlock use native Windows settings?

No. It uses a custom driver to apply restrictions.

 

[Andy Ful]

WHHLight essentially does the same thing as Cyberlock and NoVirusThanks OSArmor. It hardens Windows via native settings to stop malware conventional AV and antimalware solutions can't always detect - like ransomware and zero day threats.

Yes, the purpose of WHHLight is similar to those applications, but WHHLight is intentionally made as a very simplistic application to protect home users. So, other applications are much more configurable which can be important when applying restrictions in organizations.

 

[Digmor Crusher]

No. It uses a custom driver to apply restrictions.

Thank you sir, that's what I thought.

 

[Andy Ful]

WHHLight vs. Exploit prevention (GooseEgg example)

Windows vulnerability reported by the NSA exploited to install Russian malware

Windows vulnerability reported by the NSA exploited to install Russian malware Microsoft didn't disclose the in-the-wild exploits by Kremlin-backed...

www.wilderssecurity.com

Windows vulnerability reported by the NSA exploited to install Russian malware

Microsoft didn't disclose the in-the-wild exploits by Kremlin-backed group until now.

arstechnica.com

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

www.microsoft.com

There are several examples in the wild, when the attackers use Microsoft vulnerabilities to get higher privileges. In many cases, the exploits are applied by using scripts and this is blocked by the WHHLight SWH restrictions. The GooseEgg exploit was applied by using a batch script.

Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.

When Microsoft patched the vulnerability in October 2022—at least two years after it came under attack by the Russian hackers—the company made no mention that it was under active exploitation. As of publication, the company’s advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft officials wrote.

 

[Andy Ful]

It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg.

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as...

malwaretips.com

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/

 

[Azazel]

From my understanding WDAC = ON uses Smartscreen for files with MOTW and ISG for files without MOTW.
Am I Correct?

 

[Andy Ful]

From my understanding WDAC = ON uses Smartscreen for files with MOTW and ISG for files without MOTW.
Am I Correct?

ISG is used In both cases. Without SmartScreen, the ISG does not use SmartScreen reputation to allow files.
WDAC without the ISG option blocks executables and does not care about SmartScreen.

 

[Azazel]

Supposed Windows 12 remove SRP, would it be difficult to develop a driver that could block risky file extensions in the same way SRP does?

 

[Andy Ful]

Supposed Windows 12 remove SRP, would it be difficult to develop a driver that could block risky file extensions in the same way SRP does?

Probably not, but I will not do it. I do not use custom drivers.
All my applications configure the security already implemented (hidden) in Windows.