Hardentools: An Utility That Disables A Number of Risky Windows Features

Hardentools: An Utility That Disables A Number of Risky Windows Features

Hardentools is a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications. 

These features, commonly thought for Enterprise customers, are generally useless to regular users and rather pose as dangers as they are very commonly abused by attackers to execute malicious code on a victim's computer. The intent of this tool is to simply reduce the attack surface by disabling the low-hanging fruit. Hardentools is intended for individuals at risk, who might want an extra level of security at the price of some usability. It is not intended for corporate environments.

Bear in mind, after running Hardentools you won't be able, for example, to do complex calculations with Microsoft Office Excel or use the Command-line terminal, but those are pretty much the only considerable "downsides" of having a slightly safer Windows environment.

Before deciding to use it, make sure you read this document thoroughly and understand that yes, something might break. In case you experience malfunctions as a result of the modifications implemented by this tool, please do let us know.

How to use it

Once you double-click on the icon, depending on your Windows security settings, you should be prompted with an User Access Control dialog asking you confirmation to allow Hardentools to run. Click "Yes".

Then, you will see the main Hardentools window. It's very simple, you just click on the "Harden" button, and the tool will make the changes to your Windows configuration to disable a set of features that are risky. Once completed, you will be asked to restart your computer for all the changes to have full effect.

In case you wish to restore the original settings and revert the changes Hardentools made (for example, if you need to use cmd.exe), you can simply re-run the tool and instead of an "Harden" button you will be prompted with a "Restore" button. Similarly, click it and wait for the modifications to be reverted.

Please note: The modifications made by Hardentools are exclusively contextual to the Windows user account used to run the tool from. In case you want Hardentools to change settings for other Windows users as well, you will have to run it from each one of them logged in.

What this tool does NOT

• It does NOT prevent software from being exploited.
• It does NOT prevent the abuse of every available risky feature.
• It is NOT an Antivirus. It does not protect your computer. It doesn't identify, block, or remove any malware.
• It does NOT prevent the changes it implements from being reverted. If malicious code runs on the system and it is able to restore them, the premise of the tool is defeated, isn't it?

Disabled Features

Generic Windows Features

• Disable Windows Script Host. Windows Script Host allows the execution of VBScript and Javascript files on Windows operating systems. This is very commonly used by regular malware (such as ransomware) as well as targeted malware.
• Disabling AutoRun and AutoPlay. Disables AutoRun / AutoPlay for all devices. For example, this should prevent applicatons from automatically executing when you plug a USB stick into your computer.
• Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.
• Sets User Account Control (UAC) to always ask for permission (even on configuration changes only) and to use "secure desktop".
• Disable file extensions mainly used for malicious purposes. Disables the ".hta", ".js", ".JSE", ".WSH", ".WSF", ".scr", ".vbs" and ".pif" file extensions for the current user (and for system wide defaults, which is only relevant for newly created users).

Microsoft Office

Disable Macros. Macros are at times used by Microsoft Office users to script and automate certain activities, especially calculations with Microsoft Excel. However, macros are currently a security plague, and they are widely used as a vehicle for compromise. With Hardentools, macros are disabled and the "Enable this Content" notification is disabled too, to prevent users from being tricked.

Disable OLE object execution. Microsoft Office applications are able to embed so called "OLE objects" and execute them, at times also automatically (for example through PowerPoint animations). Windows executables, such as spyware, can also be embedded and executed as an object. This is also a security disaster which we observed used time and time again, particularly in attacks against activists in repressed regions. Hardentools entirely disables this functionality.

Disabling ActiveX. Disables ActiveX Controls for all Office applications.

Acrobat Reader

Disable JavaScript in PDF documents. Acrobat Reader allows to execute JavaScript code from within PDF documents. This is widely abused for exploitation and malicious activity.

Disable execution of objects embedded in PDF documents. Acrobat Reader also allows to execute embedded objects by opening them. This would normally raise a security alert, but given that legitimate uses of this are rare and limited, Hardentools disables this.

Authors
This tools is developed by Claudio Guarnieri, Mariano Graziano and Florian Probst.

WARNING: This is just an experiment, it is not meant for public distribution yet. Also, this tool disables a number of features, including of Microsoft Office, Adobe Reader, and Windows, that might cause malfunctions to certain applications. Use this at your own risk.

Download

Wikileaks Vault-7 Publishes New CIA Exploit Tools BothanSpy And Gyrfalcon

Wikileaks Vault-7 Publishes New CIA Exploit Tools BothanSpy And Gyrfalcon

The latest addition of Wikileaks Vault 7 of CIA tools is BothanSpy and Gyrfalcon, used for a remotely cyber attack on Windows and Linux systems to steal SSH Credentials.

BothanSpy is used for targeting on Windows computer system, whereas Gyrfalcon for Linux Machines. Gyrfalcon encrypts and stores the data into a file on Linux Computer system. The attacker must have knowledge of Linux/Unix commands and shells like sh, csh and bash.

In the documents from the BothanSpy and Gyrfalcon projects of the CIA. The implants described in both projects are designed to intercept and exfiltrate SSH credentials but work on different operating systems with different attack vectors.

BothanSpy is an implant that targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. These credentials are either username and password in case of password-authenticated SSH sessions or username, filename of private SSH key and key password if public key authentication is used. BothanSpy can exfiltrate the stolen credentials to a CIA-controlled server (so the implant never touches the disk on the target system) or save it in an enrypted file for later exfiltration by other means. BothanSpy is installed as a Shellterm 3.x extension on the target machine.

Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu). The implant can not only steal user credentials of active SSH sessions, but is also capable of collecting full or partial OpenSSH session traffic. All collected information is stored in an encrypted file for later exfiltration. It is installed and configured by using a CIA-developed root kit (JQC/KitV) on the target machine.

Do you really think Linux System is secure?

WinPayloads – Undetectable Windows Payload Generation

WinPayloads – Undetectable Windows Payload Generation

WinPayloads is a tool to provide undetectable Windows payload generation with some extras running on Python 2.7.

It provides persistence, privilege escalation, shellcode invocation and much more. WinPayloads uses Metasploits Meterpreter shellcode, injects the users IP and port into the shellcode and writes a python file that executes the shellcode using ctypes.

Features

• UACBypass – PowerShellEmpire
• PowerUp – PowerShellEmpire
• Invoke-Shellcode
• Invoke-Mimikatz
• Invoke-EventVwrBypass
• Persistence – Adds payload persistence on reboot
• Psexec Spray – Spray hashes until successful connection and psexec payload on target
• Upload to local webserver – Easy deployment
• Powershell stager – allows invoking payloads in memory & more.
• Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames, domain,passwords or hashes.
  
  

  Installation

  • git clone https://github.com/nccgroup/winpayloads.git
  • cd winpayloads
  • ./setup.sh will setup everything needed for Winpayloads
  • Start Winpayloads ./Winpayloads.py
  • Type ‘help’ or ‘?’ to get a detailed help page
  • setup.sh -r will reinstall
  
  Download WinPayloads

ELSA: New CIA Tool Revealed By Wikileaks Which Was Used To Track PCs Via WI-Fi

ELSA: New CIA Tool Revealed By Wikileaks Which Was Used To Track PCs Via WI-Fi.

Wikileaks released latest Vault7 series of CIA Hacking tools. ELSA, the malware used to track Wi-Fi enabled devices on running Microsoft Windows operating system. ELSA allows to gather location data on the victim device and able to monitor remotely.

"WikiLeaks publishes documents from the ELSA project of the CIA. ELSA is a Geo-location malware for WiFi-enabled devices like laptops running the Microsoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals. To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device.

If it is connected to the internet, the malware automatically tries to use public Geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device - again using separate CIA exploits and backdoors.

The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method. Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to Geo-location data to create a tracking profile of the target device."

Last week Wikileaks Published Brutal Kangaroo project of the CIA.  Brutal Kangaroo is a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumb drives. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executable.