Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I modified the CXK-NMSL ransomware BAT and uploaded it to VirusTotal:

The modified BAT encrypts only files in the Favorites folder (%USERPROFILE%\Favorites).
Of course, that could be any folder, too.

Edit.
I had to improve it a little, because the original BAT did not work correctly when run manually from the non-system drive.

 

[SeriousHoax]

It is not possible to block scenario 4, by using SysHardener.

Can you briefly make a similar comparison to OSArmor in default settings? How many scenarios can be blocked by OSArmor?

 

[Andy Ful]

Can you briefly make a similar comparison to OSArmor in default settings? How many scenarios can be blocked by OSArmor?

This would be hard, because only the OSArmor developer knows how exactly it works (no documentation). I never tested OSArmor against script attacks.

 

[SeriousHoax]

This would be hard, because only the OSArmor developer knows how exactly it works (no documentation). I never tested OSArmor against script attacks.

Ow I see, ok. Anyway, waiting for the release of new version of Hard_Configurator

 

[SeriousHoax]

Andy can you check this? This is the sample "RipWin.exe" from "Mixed Threats #16 (10/04/2020)". You can check this on anyrun: RipWin.exe (MD5: BED2A2EEB592522BA8EEB52CBA770392) - Interactive analysis - ANY.RUN
And also have a look here in the behavior section of VT: VirusTotal
Can Hard_Configurator block this in Windows_*_Basic_Recommended_Settings.hdc profile?

 

[South Park]

In the new H_C ver. 5.0.1.0, I added additional setting profile named Windows_10_Basic_hardening
It is equal to the Recommended Settings, except that in Recommended Settings the EXE and MSI files are allowed only in user AppData and ProgramData folders. In the Windows_10_Basic_hardening settings, the EXE and MSI files are allowed globally.
I added the profile description:

"Harden Windows 10 while maintaining maximum functionality and compatibility.

Please note: this profile allows the user to install/execute/update applications via EXE and MSI files. The only exceptions are EXE and MSI files executed directly from an archive or email client.
The scripts, shortcuts and other files with unsafe extensions are blocked by default in UserSpace.
The "Run By SmartScreen" entry in the Explorer context menu can be used to check the standalone application installers by SmartScreen Application Reputation service.

It is recommended to use this profile with ConfigureDefender HIGH Protection Level (if WD is the main antivirus) and "Recommended H_C" firewall outbound block rules (see <FirewallHardening> option). The profile can be used also with another antivirus with strong proactive detection."

Where can I find the link to download this version?

 

[Andy Ful]

I used InnoSetup to make an executable from my BAT (PrayForMercy.exe) and uploaded it to VirusTotal:

 

[Andy Ful]

Where can I find the link to download this version?

I will push it in April (in one or two weeks).

 

[SeriousHoax]

I have used InnoSetup to make an executable from my BAT (PrayForMercy.exe) and upload to VirusTotal:

View attachment 237102

ESET now detects the bat & executable file used in the cruelsister sample even though VT doesn't show it. I wonder if this one would be detected too!

 

[Andy Ful]

Andy can you check this? This is the sample "RipWin.exe" from "Mixed Threats #16 (10/04/2020)". You can check this on anyrun: RipWin.exe (MD5: BED2A2EEB592522BA8EEB52CBA770392) - Interactive analysis - ANY.RUN
And also have a look here in the behavior section of VT: VirusTotal
Can Hard_Configurator block this in Windows_*_Basic_Recommended_Settings.hdc profile?

Yes. This EXE is a dropper which spawns the BAT in UserSpace with command-line:

"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\E131.tmp\E132.tmp\E133.bat

The BAT will be blocked.

 

[Andy Ful]

ESET now detects the bat & executable file used in the cruelsister sample even though VT doesn't show it. I wonder if this one would be detected too!

Generally, the detection of EXE files is better than for scripts.

 

[Andy Ful]

ESET now detects the bat & executable file used in the cruelsister sample even though VT doesn't show it. I wonder if this one would be detected too!

If you want to test it on MH, just let me know.

 

[ForgottenSeer 85179]

@askalan

Copyright on Hard-Configurator website is still on year 2019:

 

[Andy Ful]

I will ask @askalan to update the website when the new stable version will be ready. For now, we have a stable ver. 5.0.0.0 from the year 2019.

 

[ForgottenSeer 85179]

There are some good PDF Readers in Microsoft Store:
PDF viewers (all use Appcontainer):
Adobe Reader Touch
Foxit MobilePDF
PDF Viewer Plus, from GSnathan
PDF Reader from Kdan Mobile
Perfect PDF Reader, from soft Xpansion
Xodo PDF Reader & Editor (very fast with big documents)

PDF Reader plugins in web browsers are far more vulnerable to attacks and can help to exploit the web browser.

Sorry for answer to this "old" post, but i make some research:
Foxit MobilePDF and PDF Viewer Plus, from GSnathan are outdated:


Apps may be still secure because of AppContainer, but i don't like such outdated tools
I doesn't check other ones

 

[Andy Ful]

Sorry for answer to this "old" post, but i make some research:
Foxit MobilePDF and PDF Viewer Plus, from GSnathan are outdated:
View attachment 237707 View attachment 237708

Apps may be still secure because of AppContainer, but i don't like such outdated tools
I doesn't check other ones

I am not sure if I understand your point. You do not want to use safe, fully functional and system compatible software because of its age? It is a kind of fashion, isn't it?
Of course, there is nothing wrong with fashion-based choices, if they are better than the old one.

 

[ForgottenSeer 85179]

I am not sure if I understand your point. You do not want to use safe, fully functional and system compatible software because of its age? It is a kind of fashion, isn't it?

I want use safe software, but not unmaintained. Anyway i don't know how important for AppContainer that is.

 

[Andy Ful]

I want use safe software, but not unmaintained. Anyway i don't know how important for AppContainer that is.

I use Adobe Touch for viewing PDF files. It is still more secure than any desktop PDF viewer and faster than most of them. The AppContainer changes are very slow (if any) as compared to desktop platform, so the apps that work in AppContainer do not require changes, too. Furthermore, criminals are not interested in attacking the AppContainer.

 

[ForgottenSeer 85179]

I use Adobe Touch for viewing PDF files. It is still more secure than any desktop PDF viewer and faster than most of them. The AppContainer changes are very slow (if any) as compared to desktop platform, so the apps that work in AppContainer do not require changes, too. Furthermore, criminals are not interested in attacking the AppContainer.

Isn't Adobe highly under attack?
Sorry for OT

 

[Andy Ful]

Isn't Adobe highly under attack?
Sorry for OT

Yes, it is (except UWP apps in AppContainer). The UWP apps are coded differently, so it is hard to apply the same exploits as for desktop applications. Furthermore, the UWP apps are much simpler, so they have a much smaller attack surface.