Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Maybe cmd.exe, bitsadmin, certutil.exe?
Here's one related to using certutil.exe to download malwares

CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV

Windows has a built-in program called CertUtil, which can be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows.

www.bleepingcomputer.com

Here's another detailed analysis about LOLbins manipulation by Ramnit trojan that you might be interested to read

LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack

Cybereason detected an evasive infection technique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. We investigate this attack, its use of sLoad, and its adoption of LOLbins to minimize discovery.

www.cybereason.com

Certutil is already added. Bitsadmin and CMD do not make outbound connections, but trigger other processes that do this for them. For example, bitsadmin.exe triggers svchost.exe. The CMD will trigger Bitsadmin, Wscript, Cscript, PowerShell, Certutil, or other LOLBins.

 

[SeriousHoax]

Certutil is already added.

You mean in the upcoming new version?

 

[Andy Ful]

I have another question on a different topic: with SRP on, is it better to whitelist Macrium ? I checked and saw many files in program data. Or maybe just switch DefaultDeny off before running Macrium?

Does Macrium run with admin rights?

 

[Andy Ful]

You mean in the upcoming new version?

Beta 5.0.0.1

Hard_Configurator - Windows Hardening Configurator

Andy, I am getting a few of these lately Access to C:\WINDOWS\System32\Wbem\wmic.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3155} placed on path Wmic.exe. Any idea what might be trying to use Wmic? Is it possibly connected to...

malwaretips.com

 

[shmu26]

Does Macrium run with admin rights?

Yes

 

[Andy Ful]

If Macrium works with admin rights, then it should work without whitelisting like other high privileged system processes. SRP in H_C does not block such processes. Anyway, this can be easily tested by creating a test backup.

 

[Back3]

Does Macrium run with admin rights?

Yes

 

[Back3]

If Macrium works with admin rights, then it should work without whitelisting like other high privileged system processes. SRP in H_C does not block such processes. Anyway, this can be easily tested by creating a test backup.

Thanks

 

[silversurfer]

If Macrium works with admin rights, then it should work without whitelisting like other high privileged system processes. SRP in H_C does not block such processes. Anyway, this can be easily tested by creating a test backup.

Confirmed, I'm using both Macrium Reflect Free & Hard_Configurator (Recommended Settings for SRP), I have been never running into issues to fail any backup/image by Macrium for almost two years until now...

 

[Back3]

What's the best way to install a secure downloaded app? Switch off Default Deny Protection, install the app then switch it on. Or right click on the .exe, and execute it as administrator. Or run as SmartScreen.

 

[Gandalf_The_Grey]

What's the best way to install a secure downloaded app? Switch off Default Deny Protection, install the app then switch it on. Or right click on the .exe, and execute it as administrator. Or run as SmartScreen.

Normally the safest and preferred way would be run as smartscreen.

 

[Andy Ful]

What's the best way to install a secure downloaded app? Switch off Default Deny Protection, install the app then switch it on. Or right click on the .exe, and execute it as administrator. Or run as SmartScreen.

Do you use SUA or default admin account?

You can use the below methods when running the installation from the hard disk or when running the standalone installator from another source (flash drive, CD/DVD, etc.).

1. On SUA ---> switch off the protection and use "Run By SmartScreen" from the right-click Explorer context menu. Switch on the protection after installation.
2. On any admin account ---> use "Run As SmartScreen" from the right-click Explorer context menu.

The difference between 1 and 2 follows from the fact that using admin rights on SUA can spoil the installation (some files will be put on the admin profile instead of the user profile).

When one wants to run the non-standalone installation (like setup.exe + installation files in some folders) from non-NTFS sources like, flash drive, memory card, CD/DVD source, ISO image, etc. then the above simple methods cannot be applied. You have to switch off the protection and run the installation normally. This should be done with caution because the installation will not be checked with SmartScreen (files do not have MOTW).

 

[Back3]

I use an admin account. I was wondering if I can always use Run as SmartScreen even if the exe is small or large. For instance, installing a small .exe like Chrome or a large .exe such as LibreOffice. I understand that the bigness of the .exe + installation files doesn't matter if I run a standalone installation.

 

[Andy Ful]

I use an admin account. I was wondering if I can always use Run as SmartScreen even if the exe is small or large. For instance, installing a small .exe like Chrome or a large .exe such as LibreOffice. I understand that the bigness of the .exe + installation files doesn't matter if I run a standalone installation.

That is right. You will be waiting a little longer for SmartScreen check with big files.

 

[Back3]

That is right. You will be waiting a little longer for SmartScreen check with big files.

Thanks

 

[Oten]

Hi Andy,

I'm using H_C 5.0.1 beta, where is the basic recommended setting profile? I don't see it when i load profiles. Also will there be any problem if i block all sponsors and is it necessary?

 

[Andy Ful]

Hi Andy,

I'm using H_C 5.0.1 beta, where is the basic recommended setting profile? I don't see it when i load profiles. Also will there be any problem if i block all sponsors and is it necessary?

This profile is included in the upcoming beta. You can set it in the version 5.0.0.1 as follows:

1. Apply the "Recommended Settings"
2. Set <More SRP ...> <Update Mode> = OFF
3. Open <Whitelist By Path>, use "Allow EXE and TMP" and "Allow MSI" to whitelist globally the EXE (TMP) and MSI files.
4. Close the window and use <APPLY CHANGES>

You should see something like below:

 

[Andy Ful]

...Also will there be any problem if i block all sponsors and is it necessary?

That will depend on the installed software. You could probably live with blocked Sponsors while checking from time to time the H_C Log for possible blocked events. The cons of blocking Sponsors is that you cannot whitelist the action of the Sponsor - it can be only enabled or disabled.
The H_C settings are for decreasing the attack surface area. The necessity of blocking sponsors can depend on your security setup, software vulnerabilities, computer activity, safe habits, etc. For non-happy clickers on well updated Windows 10 with well updated software, blocking sponsors is usually unnecessary. Please, use "Run By SmartScreen" from the right-click Explorer context menu to check & run the EXE and MSI standalone application installers.

Edit.
Your current setup (KAV 20, Hard_Configurator, WiseVector StopX) is OK.

 

[Back3]

My firewall hardening already includes Syshardener outbound firewall rules. Would it be a good idea to add those two rules:
C:\Windows\system32\mshta.exe
C:\Windows\system32\rundll32.exe
Thanks

 

[Andy Ful]

My firewall hardening already includes Syshardener outbound firewall rules. Would it be a good idea to add those two rules:
C:\Windows\system32\mshta.exe
C:\Windows\system32\rundll32.exe
Thanks

Yes.
Anyway, you can use FirewallHardening (without adding any rules) to see the blocked outbound connections - enable logging events and use <Blocked Events>. Pay attention to the entries blocked by your custom rules. There can be more blocked processes related to your privacy settings and default firewall rules - you can ignore them.