WHHLight - simplified application control for Windows Home and Pro.
- Thread starter Andy Ful
- Start date
- Featured
@Andy Ful
I have ConfigureDefender_4011 and WindowsHybridHardeningLight_2002 at C:\ProgramData\WindowsHybridHardening_Tools. I created a shortcut for both to my desktop and now EMSISOFT is checking them as malware (only the shortcut). Any idea why?
Virustotal also mark it
example:
I have ConfigureDefender_4011 and WindowsHybridHardeningLight_2002 at C:\ProgramData\WindowsHybridHardening_Tools. I created a shortcut for both to my desktop and now EMSISOFT is checking them as malware (only the shortcut). Any idea why?
Virustotal also mark it
example:
Because it uses B signatures, and B is known for FPs.@Andy Ful
I have ConfigureDefender_4011 and WindowsHybridHardeningLight_2002 at C:\ProgramData\WindowsHybridHardening_Tools. I created a shortcut for both to my desktop and now EMSISOFT is checking them as malware (only the shortcut). Any idea why?
Virustotal also mark it
example:
Last edited:
@Andy Ful
I have ConfigureDefender_4011 and WindowsHybridHardeningLight_2002 at C:\ProgramData\WindowsHybridHardening_Tools. I created a shortcut for both to my desktop and now EMSISOFT is checking them as malware (only the shortcut). Any idea why?
Virustotal also mark it
example:
Some malware can create shortcuts to payloads dropped in ProgramData.
You probably are not malware, so the shortcut can be whitelisted.
I recently installed a new application that seems to put some of its dynamic libraries under writable folders, so WDAC blocks them by default. Whitelisting the folder also fails, because WHHL complains: "WDAC Whitelist. Error. The path is too long (max pathlength = 72). In this case, the required path length would be 91 characters, but maybe some additional reserve would probably not be a bad idea, too...
It would be nice if you could make this modification for the next release (and also include the bug fix for the SWH PowerShell restrictions configuration which I reported in September).
Until then, I have to rely only on SRP restrictions (that are weaker and less configurable in WHHL than what they were in H_C, from which I moved to WHHL when upgrading to Windows 11).
It would be nice if you could make this modification for the next release (and also include the bug fix for the SWH PowerShell restrictions configuration which I reported in September).
Until then, I have to rely only on SRP restrictions (that are weaker and less configurable in WHHL than what they were in H_C, from which I moved to WHHL when upgrading to Windows 11).
C:\Users\XXXXX\AppData\Local\Temp\.net\YYYYYYY\7b_GqtU4OEUHIiFkHfIeYWN9iLEBkV8=\YYYYYYY.dll
(I have whitelisted only the Admin account's AppData\Local\Temp directory, purposely. This is a SUA)
(I have whitelisted only the Admin account's AppData\Local\Temp directory, purposely. This is a SUA)
You can whitelist the path:
C:\Users\XXXXX\AppData\Local\Temp\.net\YYYYYYY\
Edit.
However, if "YYYYYYY" is random, it cannot be whitelisted in WHHLight.
A partial solution is whitelisting: "C:\Users\XXXXX\AppData\Local\Temp\.net"
Last edited:
WHHLight ver. 2.0.1.0
- Added new digital certificate.
- Improved anti-tampering (ConfigureDefender and FirewallHardening).
- Corrected the bugs related to gpupdate.exe on Windows Pro.
- Improved switching on powershell.exe.
WHHLight vs. DiCaprio Movie torrent attack
https://www.bitdefender.com/en-us/b...dicaprio-movie-torrent-agent-tesla-powershell
https://malwaretips.com/threads/fak...esla-through-layered-powershell-chain.138664/
Infection chain:
Malicious torrent download (Movie + malicious files LNK, SRT, JPG, M2ts) ---> User opens a shortcut ----> CMDLine extracts and runs PowerShell CmdLines embedded in the SRT subtitle files ---> PowerShell decrypts the malicious code ----> PowerShell drops a few PowerShell scripts ----> Scripts are executed ---> the Payloads are unpacked and decrypted from fake JPG and M2ts files ---> Batch/PS1 script installs Go programming language and makes persistence via scheduled tasks ---> Malicious Loader is compiled ---> Final payload (Agent Tesla) is executed directly in memory
The actions marked in red are blocked by SWH/SRP shortcut/script restrictions.
The actions marked in blue are blocked by the PowerShell Constrained Language Mode forced by SWH/SRP.
Any of those blocked actions makes the whole attack harmless.
https://www.bitdefender.com/en-us/b...dicaprio-movie-torrent-agent-tesla-powershell
https://malwaretips.com/threads/fak...esla-through-layered-powershell-chain.138664/
Infection chain:
Malicious torrent download (Movie + malicious files LNK, SRT, JPG, M2ts) ---> User opens a shortcut ----> CMDLine extracts and runs PowerShell CmdLines embedded in the SRT subtitle files ---> PowerShell decrypts the malicious code ----> PowerShell drops a few PowerShell scripts ----> Scripts are executed ---> the Payloads are unpacked and decrypted from fake JPG and M2ts files ---> Batch/PS1 script installs Go programming language and makes persistence via scheduled tasks ---> Malicious Loader is compiled ---> Final payload (Agent Tesla) is executed directly in memory
The actions marked in red are blocked by SWH/SRP shortcut/script restrictions.
The actions marked in blue are blocked by the PowerShell Constrained Language Mode forced by SWH/SRP.
Any of those blocked actions makes the whole attack harmless.
Signature and behavioral aside, when comparing WHHL to K app control, I suppose the earlier will block the attack even before it starts, while the later will kick in at the last step of executing the payload.
Signature aside, would not behavioral analysis of MD or the 3rd party AVs stop such an attack; this is a typical malicious behavior!
Such attacks are planned/tested to avoid any detection (also behavioral) by the particular AV (or some AVs). That is how the FUD market works.
That is why the infection chain is so complicated in the case of the DiCaprio attack. The behavioral detection is often triggered after several hours.
WHHLight vs. Phantom 3.5 attack
labs.k7computing.com
As the initial vector, the WSF script is used (the XML-based container for JavaScript obfuscated code).
Infection chain:
Fake Adobe 11.7.7 installer (WSF/XML script container) ---> JScript code downloads/executes PS1 script ---> PowerShell decrypts DLL Payload and injects it into the LOLBin (aspnet_compiler.exe) ---> connection with C2 server is established
(*) - I wrote JScript instead of JavaScript to point up that Windows Script Host runs the code.
The actions marked in red are blocked by default SWH script restrictions.
The actions marked in blue are blocked by the PowerShell Constrained Language Mode forced by SWH/SRP. The execution of aspnet_compiler.exe is also blocked in WHHLight when the WDAC setting is not set to OFF.
The actions marked in violet can be blocked by FirewallHardening (LOLBin BlockList includes aspnet_compiler.exe).
Phantom 3.5: Initial Vector Analysis & Forensics - K7 Labs
Phantom, a stealer malware, sends back sensitive data like passwords, browser cookies, credit card information, crypto wallet credentials, victim’s IP […]
labs.k7computing.com
As the initial vector, the WSF script is used (the XML-based container for JavaScript obfuscated code).
Infection chain:
Fake Adobe 11.7.7 installer (WSF/XML script container) ---> JScript code downloads/executes PS1 script ---> PowerShell decrypts DLL Payload and injects it into the LOLBin (aspnet_compiler.exe) ---> connection with C2 server is established
(*) - I wrote JScript instead of JavaScript to point up that Windows Script Host runs the code.
The actions marked in red are blocked by default SWH script restrictions.
The actions marked in blue are blocked by the PowerShell Constrained Language Mode forced by SWH/SRP. The execution of aspnet_compiler.exe is also blocked in WHHLight when the WDAC setting is not set to OFF.
The actions marked in violet can be blocked by FirewallHardening (LOLBin BlockList includes aspnet_compiler.exe).
Last edited:
WHHLight vs. Cache Smuggling attacks
This attack vector combines the ClickFix method with the exploitation of the web browser cache. Such attacks were reported this year.
According to Microsoft:
Web browsers often cache images from websites in specific paths. This can be abused by using the ClickFix method:
This attack vector combines the ClickFix method with the exploitation of the web browser cache. Such attacks were reported this year.
According to Microsoft:
Web browsers often cache images from websites in specific paths. This can be abused by using the ClickFix method:
- The user is directed to the malicious website, which hosts the encrypted payload camouflaged as a JPG file.
- The web browser caches the JPG to the disk.
- The user is fooled into applying ClickFix actions that trigger PowerShell code.
- PowerShell code searches for the JPG payload in the web browser's cache.
- PowerShell decrypts the JPG payload.
- Malicious code is executed.
Last edited:
@Andy Ful
Apologize for this off topic question.
My wife only runs Office 2024 and a photo editor installed from Windows store.
She is running as standard user with SAC on and Hard Configurator only blocking scripts and LolBins (for standard user) with Defender on Max (and also your other hardening tools for office and firewall enabled).Additionally I have disabled Wscript, CMD and Cscript and put Powershell in constrained mode.
Would their be any benefit to move to your latest tool WHHLight (using Hard Configurator with SAC now)?
She has to do security wareness courses every year for work,so she is a careful with mail and internet.
After initial installation I ran some debloat programs wihich also removed some HP programs as spyware and I removed all preinstalled (trial) programs.
All updates are installed through Windows update using Windows installed drivers only.
This configuration runs without any problems (only in the beginning a HP program would not update but that one was removed because it was categorized as a spyware).
Apologize for this off topic question.
My wife only runs Office 2024 and a photo editor installed from Windows store.
She is running as standard user with SAC on and Hard Configurator only blocking scripts and LolBins (for standard user) with Defender on Max (and also your other hardening tools for office and firewall enabled).Additionally I have disabled Wscript, CMD and Cscript and put Powershell in constrained mode.
Would their be any benefit to move to your latest tool WHHLight (using Hard Configurator with SAC now)?
She has to do security wareness courses every year for work,so she is a careful with mail and internet.
After initial installation I ran some debloat programs wihich also removed some HP programs as spyware and I removed all preinstalled (trial) programs.
All updates are installed through Windows update using Windows installed drivers only.
This configuration runs without any problems (only in the beginning a HP program would not update but that one was removed because it was categorized as a spyware).
Last edited by a moderator:
Could you post the screenshots of the H_C main Window and of the DocumentsAntiExploit window?
The posted setup looks OK. I am unsure about script settings. Did you block CMD via registry tweak?
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD = 1 (DWORD (32-bit)
Last edited:
Yes I disabled command shell and old scriptors through registry settings.
I am currently on holiday and have no access to the PC. So not able to post screenshots. When I remember correctly I used the Avast profile as starting point.
Thanks for your reply.
I am currently on holiday and have no access to the PC. So not able to post screenshots. When I remember correctly I used the Avast profile as starting point.
Thanks for your reply.
Beginning to understand it much better - both about exe reputation and when they may run but also that even with this tight grip I don't have to disable everything to install well-known software (I always let the setups stay in a folder for a few days and AV scan daily) or to use fx. Hibit Uninstaller to remove stuff. And the whitelisting parts also makes better sense for my use - in other words, it just works even through the tight grip is ON
Thanks for all @Andy Ful
- both about exe reputation and when they may run but also that even with this tight grip I don't have to disable everything to install well-known software (I always let the setups stay in a folder for a few days and AV scan daily) or to use fx. Hibit Uninstaller to remove stuff. And the whitelisting parts also makes better sense for my use - in other words, it just works even through the tight grip is ON Thanks for all @Andy Ful
and more flexible.
So if the installer was blocked by both ASR rule and WDAC, turning off temporarly for installing will bypass WDAC (the installed app will launch as it is located in non-writable space) but not ASR rule (as this space is not excluded by default as in the case with WDAC)?
Also this step could be blocked by "Block JavaScript or VBScript from launching downloaded executable content" ASR rule.
Currently deprecated of W 11.
You mean the user double click the script or right click and run as admin, or just opening (or extracting) the archive will launch the script without user interaction with the script?
or by "Block JavaScript or VBScript from launching downloaded executable content" ASR rule.
Last edited by a moderator:
@Mods, thank you for combining (merging) @Parkinsond posts, I was going to say something about the 4-5 singular posts in a row. Same with yesterday and about 4-5 separate links posted one after the other that were merged. I'm not attacking you Parkinsond, but it would be nice if at times you waited 15- 30 minutes to "let the paint dry" on some of your thoughts, LOL, before posting one sentence replies and used multi-quote more often?
Last edited:
You may also like...
-
-
Testing Windows Hybrid Hardening (new hardening application).
- Started by Andy Ful
- Replies: 253
-
Windows 11 Home OEM + Office 2021 Pro Plus OEM Bundle €23.80- Started by Brownie2019
- Replies: 4
-
Soft Organizer Pro from Chemtable for Free - Uninstall applications- Started by BigWrench
- Replies: 9
-
Windows 11 25H2/24H2 get 1000 Hz+ refresh rate support, File Explorer improvements, and more- Started by Parkinsond
- Replies: 9