NoVirusThanks OSArmor: An Additional Layer of Defense

So even further locking down estabilished policies againt credential dump with OSA and ERP will not help against Mimikatz (I checked and I should be immune to it), because the attackers could still import registry settings and bypass everything via API? Pardon me but this is complicated, I will not understand everything right after your forum post, thats why I am grateful you are here helping me

some rules I wrote:

Spoiler

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\
00,73,00,70,00,6b,00,67,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,credssp.dll"
rem import via cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 00000008 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v Negotiate /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /d 0 /t REG_DWORD /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdminOutboundCreds /t REG_DWORD /d 00000001 /f
reg add "HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v NtlmMinClientSec /t REG_DWORD /d 20080000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v NtlmMinServerSec /t REG_DWORD /d 20080000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v everyoneincludeanonymous /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LMCompatibilityLevel /t REG_DWORD /d 5 /f
rem logon
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCAD /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v DisablePasswordChange /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v RequireStrongKey /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v RequireSignOrSeal /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v SignSecureChannel /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v undockwithoutlogon /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v SealSecureChannel /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" /v EnableSecureCredentialPrompting /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\CredUI" /v DisablePasswordReveal /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v dontdisplaylastusername /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f
net accounts /MINPWLEN:20 /MAXPWAGE:30 /MINPWAGE:29 /UNIQUEPW:3
net accounts /LOCKOUTTHRESHOLD:3
net accounts /LOCKOUTDURATION:70
net accounts /LOCKOUTWINDOW:70
rem no storage for domain password
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v disabledomaincreds /t REG_DWORD /d 1 /f

checked with this:

Spoiler

wmic useraccount list full
net accounts
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

 

ERP and OSA as anti-exe, just block EXE's, how can they protect you against malicious dll/drivers/reg files?
And how can they stop in-memory exploitations when they can't even monitor the memory.
Note that if a kernel exploit is used, nothing except a patch from MS can block the attack.

I have to use OSA to implement the blocking of a huge list of LOLbins and folders, because my main security application is limited in number of entries.

 

so what would you recommend, Excubits? or HMPA (I was about to buy it anyway), I already have "solid" in my opinion firewalls. I have Eset advanced firewall, simple wall (they work perfect in tandem: I know I should not use 2 but this is because of VM that corrupts software, anyway too complicated to explain now) and Asus router with latest firmware: it does some Trend micro scans and has IDS at least. I was thinking about pfsense but I saw CVE vulnerabilities and maybe too much for a home user

 

Excubits stuffs, lack of GUI, all is done via command lines, can be rebuking.

HMPA is the more user-friendly but may impact performance and generate some FPs (note I was beta tester for them but I decided to ditch it, I don't really need it).

I think HMPA would be better, it has some side handy features.

 

They can protect against the common ways that dlls and drivers are loaded, although they don't monitor the dlls and drivers themselves.

Excubits Bouncer does not need to be configured by command line, you just write rules in a txt file, that's all. But if you want Bouncer to monitor dlls, it slows down performance, and it is extremely frustrating to get the dll rules to work right. Not worth it, in my opinion.

 

Just the common ways are not enough to me.
When i set up a security strategy, I plan for the worst attack vector.

 

I am already covered on keylogging and bad usb/usb worms through Binisoft and Panda Usb Vaccine, plus these policies:

Spoiler

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" /v "Deny_Execute" /t "REG_DWORD" /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d "@SYSoesNotExist" /f

then why you recommend it? I'll explain. There must be a better software you are using or you have found the right balance, can you tell me more about it?

 

Because it is just the most comprehensive anti-exploit and quite simple to use.

I ditched it because i use Windows Exploit Guard and Appguard Enterprise. HMPA would be redundant.
Also, I want to limit the number of sec softs I am using. Quality not quantity.

 

that might be the only difference. I am home user, could be hard to get Appguard enterprise. Problem is WD has no web component (antipishing), protocol filter, https://docs.microsoft.com/en-us/wi...l-windows-defender-advanced-threat-protection this is only for PRO, I am home, so I have a small problem if using your setup..

I can't just jump to pro since I use heavily modifed iso versions with NTLite and similar

full settings are here, what is essential? ASLR works only at startup so its no use imo for long running programs

Spoiler

powershell.exe Set-Processmitigation -System -Enable DEP,EmulateAtlThunks,ForceRelocateImages,RequireInfo,BottomUp,HighEntropy,StrictHandle,DisableWin32kSystemCalls,AuditSystemCall,DisableExtensionPoints,BlockDynamicCode,AllowThreadsToOptOut,AuditDynamicCode,CFG,SuppressExports,StrictCFG,MicrosoftSignedOnly,AllowStoreSignedBinaries,AuditMicrosoftSigned,AuditStoreSigned,EnforceModuleDependencySigning,DisableNonSystemFonts,AuditFont,BlockRemoteImageLoads,BlockLowLabelImageLoads,PreferSystem32,AuditRemoteImageLoads,AuditLowLabelImageLoads,AuditPreferSystem32,EnableExportAddressFilter,AuditEnableExportAddressFilter,EnableExportAddressFilterPlus,AuditEnableExportAddressFilterPlus,EnableImportAddressFilter,AuditEnableImportAddressFilter,EnableRopStackPivot,AuditEnableRopStackPivot,EnableRopCallerCheck,AuditEnableRopCallerCheck,EnableRopSimExec,AuditEnableRopSimExec,SEHOP,AuditSEHOP,TerminateOnError,DisallowChildProcessCreation,AuditChildProcess

reptoline:

Spoiler

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x400 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x400 /f

which replaced (reptoline should be faster):

Spoiler

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

chrome mitigation:

Spoiler

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v MitigationOptions /t REG_QWORD /d 8589934592 /f

and new hardware:
The new K-series 9th-gen CPUs received protection against Meltdown V3, Spectre V2, ZombieLoad, Foreshadow or L1 terminal fault exploit.

We are still discussing OS Armor here, only we need to protect it against the exploit online vector as pointed out by guest

it was a misunderstanding, I did not know you were talking about online fileless attacks, now I know, I am sorry and I'll try not to make this mistake again

thats the main problem, nobody implements it and nobody wants to hear about it, hackers might exploit this fact, but I can see that statistically exploits are in decline (globally, versus threats such as crypto coin miners, rootkits are on the rise 2)

 

@guest so external PowerShell scripts from a launcher can be executed remotely even if PowerShell is fully restricted and locked down by IWR (SRP rules), OS armor/Exe Radar Pro (and similar)

Spoiler

rem block PS and related
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "cmd.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "powershell_ise.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "powershell.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "calc.exe" /f
netsh.exe advfirewall firewall add rule name="Block calc.exe" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 -norestart
powershell.exe Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -norestart
powershell.exe -Command "Set-ExecutionPolicy Restricted -Scope CurrentUser"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v EnableScripts /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v __PSLockDownPolicy /t REG_DWORD /d 4 /f
powershell Set-ExecutionPolicy -ExecutionPolicy Restricted
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell -Name "ExecutionPolicy" –Value "Restricted"
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /t REG_SZ /d Restricted /f
reg add HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /t REG_SZ /d Restricted /f
rd "%ProgramFiles%\WindowsPowerShell" /s /q
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
rd "%WINDIR%\System32\WindowsPowerShell" /s /q
rd "%WINDIR%\SysWOW64\WindowsPowerShell" /s /q
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no
net stop WinRM
net stop winmgmt
sc config winmgmt start= disabled
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt" /v Start /d 4 /t "REG_DWORD" /f
sc config WinRM start= disabled
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" /v Start /d 4 /t "REG_DWORD" /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\WinRM" /v Start /t REG_DWORD /d 4 /f
assoc .ps1=
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
Dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root"
rem attention some programs will not work
DISM /Online /Disable-Feature /FeatureName:Microsoft-Windows-NetFx3-OC-Package /Remove /Quiet /NoRestart
DISM /Online /Disable-Feature /FeatureName:Microsoft-Windows-NetFx3-WCF-OC-Package /Remove /Quiet /NoRestart
DISM /Online /Disable-Feature /FeatureName:NetFx3 /Remove /Quiet /NoRestart
rem attention most programs will not work
DISM /Online /Disable-Feature /FeatureName:NetFx4-AdvSrvs /Remove /Quiet /NoRestart
DISM /Online /Disable-Feature /FeatureName:Microsoft-Windows-NetFx4-US-OC-Package /Remove /Quiet /NoRestart
DISM /Online /Disable-Feature /FeatureName:Microsoft-Windows-NetFx4-WCF-US-OC-Package /Remove /Quiet /NoRestart
DISM /Online /Disable-Feature /FeatureName:WCF-Services45 /Remove /Quiet /NoRestart

in this case the attacker would need to install a PS and .NET module on me or not?
sry this is difficult to grasp a concept for me, If I hacked a few PCs (my own pcs) I would understand this better (practice, I think you need a practitioner not just books and theory).

I am also thinking on modified iso that eradicates some elements these techniques rely upon

maybe its possible to disrupt communication in some way

 

Powershell Empire supplies all of its own needs. It is not a living-off-the-land attack and it does not need to drop any binaries on the local disk. So any execution-based rules that you make for the local machine will not stop it (once it has an entry point to the local machine, of course...)

 

that's crazy, I wonder what with a modified iso, like a 700mb install with deep win10 modifications, a crippled OS, they are easy to build (Ntlite or MSMG toolkit) but involve some initial trials and tribulations. I am thinking maybe if its cripped two PC can't communicate properly (removed drivers, protocols, features, services) but I am not sure. I think it might be stopped this way because if you change OS you are covered, so perhaps nested VMs in this case should stop it (apart data breaches from guest VM), ie Linux->Windows10. I guess not always, because once in memory they can move between different VMs but its hard (Andreas said these type of VM movements are hard to pull off)

 

Do a search on Wilderssecurity for posts from @itman about Powershell Empire. He has posted a lot about this type of thing. It sounds like science fiction, but it's real.

 

@lucd modified OS would change nothing, the stager can embark all it needs. For example, it's own interpreters like powershell or python so it doesn't need them installed on the system.

It does all in-memory, so unless you have an anti-exploit (and not an post-exploitation soft like anti-exes, hence my irritation about the amalgam), you won't see it coming.

Such attacks are mostly made for persistent and stealthy attacks schemes targeting corporate network. Home users are usually not the main targets but things can changes fast.

 

Sandboxing the application from which the attack originated should mitigate the effects.
This attack needs an unpatched vulnerability in an internet-facing application, or a corporate network environment, AFAIK.

 

@guest you call OSA, ERP or VS post-exploatation tool, is it the correct term (you might have used it sarcastically)?
could you call them blockers? They are like HIPS, The difference being that HIPS are smart,
Andreas call these OSA filthers smart too as well, but they are not HIPS. Security products with HIPS performs scans on the program trying to launch its threads (ie kernel-mode callbacks such as PsSetCreateProcessNotifyRoutineEx used for monitoring process creation and termination) and then decide if it wants to grant continuation to the execution, entirely block it or restrict it (block execution of scripts). It might involve networking components to check on features. Usually part of an AV/AM
Such scanning actions are not performed by OSA, there are no smart on-the-fly decisions or roll back actions. However the block suspicious process has 1000+ secret rules (quote), which is whats closer to a "smart" rule (if this is what Andreas meant). It is a private filter and rule manager with kernel driver, that doesn't need communication, apart driver signing purpose (Andreas said OSA or ERP might need network to check proper driver signing, although I never spotted a connection with latest release). To quote:
OS Armor doesn't need an Internet connection to work, except to verify digital signatures of signed executables.
That said, I don't know how to classify them, maybe private filter tools?

 

In the popular parlance of security forums:

Anti-exploit means protecting an application from certain types of abuse such as buffer overflow.

Post-exploit protection means the buffer overflow (for example) already took place, but the attack is prevented from spawning files and launching LOL bins such as powershell.

HIPS means monitoring and/or blocking each and every action of a running process, not just preventing its initial execution.

None of these definitions are set in stone, but this is what people usually mean, to the best of my understanding...

@guest I welcome your corrections if you think these definitions are faulty.

 

alright then, so how to call ERP+RG+OSA+FIDES+VS+DRP, say academically, to me they are private filter tools or initial process blockers

 

@shmu26 seems ok.

@lucd Yes post-exploitation, because they don't prevent the exploit itself but what it may do after, and sometimes it is not enough.

 

thats why I originally said OSA/ERP can be useful even with fileless exploits, the alerts from osa/erp/drp and firewall are sometimes enough to spot something fishy (but you always need dedicated antiexploits)
they basically teach you what process behaviors are usual and what are unusual all the time unless that unblocked process (the process that you expect being launched into memory) is hijacked

 

Mimikatz injected into svchost.exe is a favorite technique:

https://searchsecurity.techtarget.c...al-How-it-hacks-Windows-passwords-credentials

 

the mitigation options I reference at the top of the page deal with that (Nla and others), I am immune (I don't reveal) but I can be still attacked.
Problem is they are not set in the default Windows install you need to import them manually and updates might roll them back and if I put these option in my mother's or my GF's PC they would kill me so, you just can't enforce strong password on ppl not to mention mitigation options
they did something on it in 1903 I think, I can see a mitigation option for svchost.exe
(binary loaded by it to be signed by Microsoft), they are well aware of Mimikatz at Microsoft perhaps and about time there are options

 

Here's a new targeted malware campaign that uses (among other tools) Powershell Empire, and, contrary to my previous claim, it looks like they can do it via weaponized docs:
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html

 

as usual this is aimed at people who can't use a computer not even at the very basic level (email as nr1 vector of attack, 91% of attacks - fireye, how this is possible is completely beyond me, you won't believe by I trained my 85 y old grandpa not to click malicous attachments), plus gmail's Naive Bayes will definitely filter this spam out

 

I ain't never figured out how in all that's electric, that the silly Python language is mysteriously but easily infiltrates Windows.

Anyone care to explain that blunder, if it is such a blunder.