Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
WHHLight - simplified application control for Windows Home and Pro.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1086722" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">Is FirewallHardening needed?</span></strong></p><p></p><p>Let's ask another question. Can the WHHLight protection be bypassed?</p><p>There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small.</p><p>Here is an example where the malware could almost compromise WHHLight (but it did not):</p><p></p><p></p><p></p><p>The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted.</p><p><strong><span style="color: rgb(0, 168, 133)">Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.</span></strong></p><p><strong></strong></p><p><strong>Attack flow:</strong></p><p>Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/<strong><span style="color: rgb(184, 49, 47)">executed</span> ----> <span style="color: rgb(184, 49, 47)">first script uses LOLBin (Curl) to download the URL of a malicious server,</span> </strong>the second script runs the payload downloaded from that server ----> ....</p><p></p><p>In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. <strong>The possible connection to a malicious server was disrupted (payloads could not be downloaded)</strong>.</p><p>The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p>If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1086722, member: 32260"] [B][SIZE=5]Is FirewallHardening needed?[/SIZE][/B] Let's ask another question. Can the WHHLight protection be bypassed? There is no perfect protection, so the answer is Yes. WHHLight can be bypassed, but the chances for that are very, very small. Here is an example where the malware could almost compromise WHHLight (but it did not): The malware was propagated via Google Ads, and threat actors were impersonating Calendy and Rufus applications. As the article explains, the EXE/MSI files signed with an EV certificate have more chances to bypass the AV+SmartScreen. If SmartScreen is bypassed then <WDAC> with SmartScreen backend can often be bypassed in WHHLight. Furthermore, the malware uses high privileges to drop/run a script in the %ProgramFiles% folder which is whitelisted. [B][COLOR=rgb(0, 168, 133)]Fortunately, malware Loaders usually use scripting in UserSpace and download some important files from the web. To be stealthy, the download is usually done by LOLBins.[/COLOR] Attack flow:[/B] Google Ad ----> downloaded EV-signed EXE -----> user executes the file and accepts the UAC ----> SmartScreen accepts the EV-signed file ----> two bach scripts dropped/[B][COLOR=rgb(184, 49, 47)]executed[/COLOR] ----> [COLOR=rgb(184, 49, 47)]first script uses LOLBin (Curl) to download the URL of a malicious server,[/COLOR] [/B]the second script runs the payload downloaded from that server ----> .... In this example, the first script was dropped in the UserSpace (user Temp folder) so it could be blocked by <SWH>. [B]The possible connection to a malicious server was disrupted (payloads could not be downloaded)[/B]. The second script was dropped in SystemSpace (%ProgramFiles% folder) so it was allowed to run. But, there was no payload to run.:) If the first script was also dropped to SystemSpace, the connection to the malicious server could be disrupted by FirewallHardening (H_C Recommended settings), because the Curl LOLBin is on the blockList. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
