Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[vtqhtr413]

It seems that a kind of Microsoft bot has opened a thread on MT about GooseEgg.

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as...

malwaretips.com

It is a copy of the original Microsoft article:
https://www.microsoft.com/en-us/sec...loiting-cve-2022-38028-to-obtain-credentials/

There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.

 

[Andy Ful]

There does seem to be unusual bots here all of a sudden, we can't interact with them at all, but things change and I bet Jack is doing his best to keep the forum viable.

I have nothing against this Bot. I also think that MT staff has control over posts of such Bots (good job).
The author of the article from arstechnica.com (mentioned in my previous post) forgot to mention the source article, so I did not know it at all.

 

[Azazel]

Hello @Andy Ful ,
I just found this website that let's you sign your applications for free.
It's similar to let's Encrypt project but for applications.

 

[Andy Ful]

I just found this website that let's you sign your applications for free.

Thanks.
It is well worth a closer look.

 

[Azazel]

Hi @Andy Ful ,
I have a suggestion.
When WHHFull is complete move all or the major components from Hard Configurator to WHHFul.
Deprecate Hard Configurator and Simple Windows Hardening (as WHHFull is superior).
If possible, bring your applications to Microsoft Store.

 

[Andy Ful]

Hi @Andy Ful ,
I have a suggestion.
When WHHFull is complete move all or the major components from Hard Configurator to WHHFul.
Deprecate Hard Configurator and Simple Windows Hardening (as WHHFull is superior).

It is already done. But, I am not sure if such a new (superior) application is needed. Furthermore, WHHFul cannot be superior in all aspects. For example, H_C is lighter (no slowdowns) compared to WDAC ISG in WHHFul.

If possible, bring your applications to Microsoft Store.

Too much trouble, but who knows?

 

[Andy Ful]

Initial access tradecraft.​

Initial Access - Red Canary Threat Detection Report

Adversaries employed tried-and-true initial access methods, with a few new variations on perennial themes.

redcanary.com

The examples of attacks in the wild can be found in my previous posts.

 

[Andy Ful]

Is FirewallHardening needed?

Let's ask another question. Can the WHHLight protection be bypassed?
There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small.
Here is an example where the malware could almost compromise WHHLight (but it did not):

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.
(...)
Consequently, many security programs and application control policies are more inclined to trust programs signed with an EV certificate. For instance, Microsoft's SmartScreen filter, which is utilized by Windows and other Microsoft products, evaluates the reputation of an executable at runtime.

Files signed with an EV certificate typically establish a trustworthy reputation faster than those signed with standard certificates or those that are unsigned. This advantage allows most malware to bypass SmartScreen warnings more effectively.

D3F@ck Loader, the New MaaS Loader

Learn more about the D3F@ck Loader malware and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber…

www.esentire.com

The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted.
Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.

Attack flow:
Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/executed ----> first script uses LOLBin (Curl) to download the URL of a malicious server, the second script runs the payload downloaded from that server ----> ....

In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. The possible connection to a malicious server was disrupted (payloads could not be downloaded).
The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.
If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList.

 

[7Oz-64]

Sorry, can't found something that i ve already read, just for confirm please :

Why windows firewall control can't see H_C recommanded rules of Firewall Hardening tool ?

Thanks.

 

[Andy Ful]

Sorry, can't found something that i ve already read, just for confirm please :

Why windows firewall control can't see H_C recommanded rules of Firewall Hardening tool ?

Thanks.

WFC does not use/check Administrator Policies.

 

[NormanF]

Andy,

A question: how does your Hardening Configurator compare and differ with VS Dan's new WDAC Lockdown? Can they be run together. Thanks!!

 

[Andy Ful]

Andy,

A question: how does your Hardening Configurator compare and differ with VS Dan's new WDAC Lockdown? Can they be run together. Thanks!!

I did not try this app, but I do not recommend using other WDAC-based solutions with WHHLight (except for SAC).

 

[NormanF]

I did not try this app, but I do not recommend using other WDAC-based solutions with WHHLight (except for SAC).

You mean there's an overlap between it and WHHLight? From your comment, you're saying they basically enforce the same policies. You can correct me if I'm wrong.

 

[Andy Ful]

You mean there's an overlap between it and WHHLight? From your comment, you're saying they basically enforce the same policies. You can correct me if I'm wrong.

Using two different solutions based on WDAC is not recommended:

• too complex setup and management,
• probable overlap,
• WDAC from one solution interferes with the second one.

 

[Andy Ful]

In the Windows 11 Home 24H2 (Insider build) the WDAC alert looks differently:

We can see "App Control for Business" instead of Windows Defender Application Control.
The new alert is correct, because WDAC does not need Microsoft Defender as a main AV (and Windows Defender is an outdated term).

 

[NormanF]

If you've Microsoft Defender for Business onboarded on top of the built in Microsoft Defender, the alert may look a little different.

 

[Andy Ful]

If you've Microsoft Defender for Business onboarded on top of the built in Microsoft Defender, the alert may look a little different.

It could be possible for the Enterprise protection fully integrated with WDAC. Did you encounter such a non-standard alert?
Anyway, I do not think that someone would need to use WHHLight with such a protection.

 

[Andy Ful]

Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.

I tested AOMEI Backupper on Windows 11 ver. 24H2 - it works without any issues. I was surprised that the same version of AOMEI Backupper triggers WMIC blocks on Windows 23H2, but there are no blocks on Windows 24H2. The reason is very simple, there is no WMIC LOLBin on Windows 11 ver. 24H2 anymore. These blocks are most probably related to some telemetry.

 

[Andy Ful]

WHHLight ver. 1.1.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/WindowsHybridHardening/WHHLight_Package_1111.exe

1. Added new WDAC setting (IAC).
2. Added new digital certificate to all tools.
2. Updated help files.

The new version can be run over the previous one (no need to remove the previous settings).
The new IAC setting will not be interesting for MT members. It is intended to block installations of new applications, except for Microsoft applications and UWP apps from Microsoft Store (Windows-like-Linux). For already installed applications and their auto-updates, IAC works just as the ON setting.
https://malwaretips.com/threads/easy-application-control-on-windows.130803/

 

[Andy Ful]

Windows-like-Linux

Three main security features of Linux are important for home users:
1. The permission-based structure in Linux prevents regular users from performing administrative actions.
2. Software installation is performed by using "app store" package manager.
3. Linux as a home computer operating system is far less targeted than Windows.

Windows-like-Linux has similar features:
1. The user works on a Standard User Account (SUA).
2. Software installation is performed via Microsoft Store (UWP apps and desktop applications).
3. All EXE and MSI files originating from the Internet Zone are blocked by default (no whitelisting).
The EXE, MSI, and DLL files originating from local devices (no MotW) are highly restricted in UserSpace by WDAC ISG (no SmartScreen backend).
Other files with active content (scripts, scriptlets, etc.) are blocked by default (Internet Zone and local devices).

Point 3 highly reduces the possible infection (including exploits) if all UserSpace is restricted. This is true when the SUPER_SAFE setup is applied in WHHLight with <WDAC> = IAC. Almost as safe would be TWO_ACOUNTS setup with <WDAC> = IAC.
But, I would like to propose the light implementation of Windows-like-Linux based on the TROUBLE_FREE setup with <WDAC> = IAC.

The WDAC default Whitelist on the above example includes two accounts: TestUser (Admin account) and useruser (SUA). In the TROUBLE_FREE setup, the ProgramData and AppData folders are whitelisted.

The cons are that some exploits can possibly use the locations in ProgramData or AppData to run malware, so we must add some post-exploitation protection (ConfigureDefender, FirewallHardening, and DocumentsAntiExploit). If one uses 3rd party applications for viewing & editing documents and 3rd party AV, those applications may require additional hardening.

The pros are that one can install almost any Windows application before applying the restrictions, and it will work/auto-update after applying the Windows-like-Linux light setup.
Of course, when restrictions are active then new software installations will be limited to Microsoft Store. But it is worth mentioning that gaming platform software (Steam, Epic Games, etc.) can still install new games because those installations are performed similarly to gaming platform updates.

I think that Windows-like-Linux setup (light version) can be helpful when protecting children or happy clickers. Despite strong restrictions, users can work with already installed applications, and install new software from Microsoft Store or new games via gaming platforms. Windows and software auto-updates are not restricted.