Hard_Configurator - Windows Hardening Configurator

ErzCrz

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Andy Ful said:
Interesting ransomware was tested on MH:
This example shows two things:
  1. Even the AV with ATP cannot detect all scripting attacks.
  2. There is a big difference between malware tests and real-world tests.
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.

The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y)
Click to expand...

Do you have any recommendations beyond the Recommended Settings in H_C to cover this or does the H_C defaults already protect us?
 
  • Like
Reactions: Protomartyr, plat, oldschool and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
ErzCrz said:
Do you have any recommendations beyond the Recommended Settings in H_C to cover this or does the H_C defaults already protect us?
Click to expand...
No recommendation needed. H_C blocks the execution of PowerShell script files via any predefined setting profile (except All_OFF).
 
Last edited:
  • Like
  • Applause
  • Thanks
Reactions: South Park, Protomartyr, simmerskool and 7 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Andy Ful said:
Interesting ransomware was tested on MH:
This example shows two things:
  1. Even the AV with ATP cannot detect all scripting attacks.
  2. There is a big difference between malware tests and real-world tests.
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.

The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y)
Click to expand...
The test by @geminis3 is only related to WD and "Configure Defender", so it's clear that without H_C will be weaker protection overall!
Maybe it would be better to post comments about this test into thread of "Configure Defender" as may be a few readers are getting confused and believing that H_C was unable to block the infection...
 
  • Like
  • +Reputation
Reactions: South Park, Protomartyr, plat and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
silversurfer said:
The test by @geminis3 is only related to WD and "Configure Defender", so it's clear that without H_C will be weaker protection overall!
Maybe it would be better to post comments about this test into thread of "Configure Defender" as may be a few readers are getting confused and believing that H_C was unable to block the infection...
Click to expand...
I am not sure. :unsure:
I mentioned this sample here because it should bypass most AVs + ATP (except if signature is already known).
On MH it bypassed Bitdefender TS 2020, Norton 360 2020 (custom settings), and Microsoft Defender with Configure Defender HIGH.
Hard_Configurator is not limited to WD, it can be run with most AVs (although probably WD can gain more). Could you post the hash of this sample? I would like to examine it on Any.Run.
 
  • Like
Reactions: Protomartyr, plat, simmerskool and 6 others
SeriousHoax

SeriousHoax

Level 47
Verified
Top Poster
Well-known
Mar 16, 2019
3,635
  • Like
Reactions: Protomartyr, plat, simmerskool and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
SeriousHoax said:
Here:
app.any.run

Analysis ps.ps1 (MD5: 59A5E23BACFEF9883A611F688B5A4C4B) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
app.any.run app.any.run
Click to expand...
Thanks, as I suspected this was the sample I already examined. It is hard to detect, because the final executable payload is compiled on the fly, by using the legal system executable csc.exe (Visual C# Compiler).
 
  • Like
  • Wow
Reactions: Protomartyr, plat, simmerskool and 7 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Andy Ful said:
I am not sure. :unsure:
I mentioned this sample here because it should bypass most AVs + ATP (except if signature is already known).
On MH it bypassed Bitdefender TS 2020, Norton 360 2020 (custom settings), and Microsoft Defender with Configure Defender HIGH.
Hard_Configurator is not limited to WD, it can be run with most AVs (although probably WD can gain more).
Click to expand...
Of course, from this point of view, it makes sense discussing here to explain that H_C (recommended settings) would be able to block this kind of attacks/infections, and to mention once more that H_C works even for the most other AVs, especially for free AV with limited protection features.
 
  • Like
Reactions: Protomartyr, Tiny, plat and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
harlan4096 said:
That powershell script was detected at the moment of the posting on demand by Kaspesky (heur) and also on demand by WiseVector...
Click to expand...
That is good for Kaspersky. :)(y)
WiseVector has a very aggressive AI (many false positives), especially for scripts. The commercial AVs used in business cannot use such an aggressive approach.
 
  • Like
Reactions: Protomartyr, Tiny, plat and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
silversurfer said:
Of course, from this point of view, it makes sense discussing here to explain that H_C (recommended settings) would be able to block this kind of attacks/infections, and to mention once more that H_C works even for the most other AVs, especially for free AV with limited protection features.
Click to expand...
It is good to recall the above, but my primary intension was to show the difference between malware tests and real-world tests. If we take as an example, the castle with defensive walls, then the real-world test can show how strong are defensive walls and the malware test will be focused on how strong are defenders in the castle.:)
 
  • Like
Reactions: Protomartyr, Tiny, simmerskool and 9 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
ErzCrz said:
Nice one :) Thanks @Andy Ful :D
Click to expand...
Such malware can be prevented by any sensible Windows hardening (not only by H_C). For example, it can be blocked by SysHardener (tweaked).(y)
Many PowerShell samples can be blocked by AVs with ATP. But generally, the detection is much worse as compared to the detection of PE samples (EXE, DLL, etc.).
 
Last edited:
  • Like
Reactions: Tiny, mkoundo, Protomartyr and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
security123 said:
Here another reason why LOL bins are dangerous:

https://github.*/Flangvik/NetLoader/blob/master/README.md
Click to expand...
Yes, they can be very dangerous if executed. There are several solutions, for example:
  1. Prevent LOLBin execution by avoiding exploits (Windows/Software Updates, MS Office hardening, Adobe Reader hardening)
  2. Blocking command-line access (default-deny for shortcuts, scripts, scriptlets, unsafe files, etc.).
  3. Applying the application reputation service for PE files (like SmartScreen Application Reputation).
  4. Applying other surface reduction methods that can cut off using any LOLBin.
  5. Allowing some vectors from points 1-4, but blocking the concrete set of popular LOLBins or blocking the Internet access for other LOLBins.
Hard_Configurator Recommended Settings are focused on the remediation based on points 1-4 (PREVENTION).
If such prevention is not possible on the concrete computer, then it is necessary to apply also point 5 (BLOCKING).
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, plat, mkoundo and 5 others
EndangeredPootis

EndangeredPootis

Level 10
Verified
Well-known
Sep 8, 2019
461
Run/install As Smartscreen was part of the recommended settings in the previous version(s), but in the newer version I see its Run/Install by smartscreen, is there a way to change it back to Run As Smartscreen?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
EndangeredPootis said:
Run/install As Smartscreen was part of the recommended settings in the previous version(s), but in the newer version I see its Run/Install by smartscreen, is there a way to change it back to Run As Smartscreen?
Click to expand...
Why you do not like the "Install By SmartScreen" in the Recommended Settings?
You can change the behavior by using <More SRP...><Update Mode> = OFF
In this setting, the "Install By SmartScreen" works similarly to "Run As SmartScreen".
 
  • Like
Reactions: harlan4096, Gandalf_The_Grey, ForgottenSeer 85179 and 4 others
P

Protomartyr

Level 7
Sep 23, 2019
314
@Andy Ful

Came across something interesting when I was converting a word document to PDF and later deleting the PDF.
  • Trying to convert an existing word document to PDF using Microsoft Word 2013 would not go through.
    • The word document was under a protected folder and the PDF was going to be saved under the same directory.
    • Protection history lists WINWORD.EXE as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions is now listed: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
  • Later when trying to delete the PDF document, the deletion was blocked.
    • Protection history lists explorer.exe as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions list is now listed: C:\Windows\explorer.exe

My questions are:
  • What caused CFA to trigger these blocks in H_C 5.1.1.1/.2?
    • I did the same actions as above on Friday and they weren't blocked. I can't remember if this was before or after I updated to version 5.1.1.1/.2.
  • Do the explorer.exe and winword.exe CFA exclusions pose a security risk?
I have attached my current configuration to this post for reference. I think the only modifications I made compared to my 5.0.0.0 configuration was:
  • Enabled Harden Archivers
  • Enabled Harden Email Clients
  • Enabled Allow MSI (which turns Update Mode to OFF)
 

Attachments

  • Protomartyr.txt
    400 bytes · Views: 179
  • Like
Reactions: Andy Ful, harlan4096, Gandalf_The_Grey and 2 others
EndangeredPootis

EndangeredPootis

Level 10
Verified
Well-known
Sep 8, 2019
461
Andy Ful said:
Why you do not like the "Install By SmartScreen" in the Recommended Settings?
You can change the behavior by using <More SRP...><Update Mode> = OFF
In this setting, the "Install By SmartScreen" works similarly to "Run As SmartScreen".
Click to expand...
I needed utilities such as Command Prompt to be run as admin in order to make scripts be able to work (obviously), but I didnt want to turn off the SRP or enable Run As Admin in the context menu.
 
  • Like
Reactions: Andy Ful

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
255
Views
17,362
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,040
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
489
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top