Hard_Configurator - Windows Hardening Configurator

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,224
Interesting ransomware was tested on MH:
This example shows two things:
  1. Even the AV with ATP cannot detect all scripting attacks.
  2. There is a big difference between malware tests and real-world tests.
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.

The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y)

Do you have any recommendations beyond the Recommended Settings in H_C to cover this or does the H_C defaults already protect us?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Do you have any recommendations beyond the Recommended Settings in H_C to cover this or does the H_C defaults already protect us?
No recommendation needed. H_C blocks the execution of PowerShell script files via any predefined setting profile (except All_OFF).
 
Last edited:

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,262
Interesting ransomware was tested on MH:
This example shows two things:
  1. Even the AV with ATP cannot detect all scripting attacks.
  2. There is a big difference between malware tests and real-world tests.
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.

The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y)
The test by @geminis3 is only related to WD and "Configure Defender", so it's clear that without H_C will be weaker protection overall!
Maybe it would be better to post comments about this test into thread of "Configure Defender" as may be a few readers are getting confused and believing that H_C was unable to block the infection...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
The test by @geminis3 is only related to WD and "Configure Defender", so it's clear that without H_C will be weaker protection overall!
Maybe it would be better to post comments about this test into thread of "Configure Defender" as may be a few readers are getting confused and believing that H_C was unable to block the infection...
I am not sure. :unsure:
I mentioned this sample here because it should bypass most AVs + ATP (except if signature is already known).
On MH it bypassed Bitdefender TS 2020, Norton 360 2020 (custom settings), and Microsoft Defender with Configure Defender HIGH.
Hard_Configurator is not limited to WD, it can be run with most AVs (although probably WD can gain more). Could you post the hash of this sample? I would like to examine it on Any.Run.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,877

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Here:
Thanks, as I suspected this was the sample I already examined. It is hard to detect, because the final executable payload is compiled on the fly, by using the legal system executable csc.exe (Visual C# Compiler).
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,262
I am not sure. :unsure:
I mentioned this sample here because it should bypass most AVs + ATP (except if signature is already known).
On MH it bypassed Bitdefender TS 2020, Norton 360 2020 (custom settings), and Microsoft Defender with Configure Defender HIGH.
Hard_Configurator is not limited to WD, it can be run with most AVs (although probably WD can gain more).
Of course, from this point of view, it makes sense discussing here to explain that H_C (recommended settings) would be able to block this kind of attacks/infections, and to mention once more that H_C works even for the most other AVs, especially for free AV with limited protection features.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
That powershell script was detected at the moment of the posting on demand by Kaspesky (heur) and also on demand by WiseVector...
That is good for Kaspersky. :)(y)
WiseVector has a very aggressive AI (many false positives), especially for scripts. The commercial AVs used in business cannot use such an aggressive approach.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Of course, from this point of view, it makes sense discussing here to explain that H_C (recommended settings) would be able to block this kind of attacks/infections, and to mention once more that H_C works even for the most other AVs, especially for free AV with limited protection features.
It is good to recall the above, but my primary intension was to show the difference between malware tests and real-world tests. If we take as an example, the castle with defensive walls, then the real-world test can show how strong are defensive walls and the malware test will be focused on how strong are defenders in the castle.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Nice one :) Thanks @Andy Ful :D
Such malware can be prevented by any sensible Windows hardening (not only by H_C). For example, it can be blocked by SysHardener (tweaked).(y)
Many PowerShell samples can be blocked by AVs with ATP. But generally, the detection is much worse as compared to the detection of PE samples (EXE, DLL, etc.).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Here another reason why LOL bins are dangerous:

https://github.*/Flangvik/NetLoader/blob/master/README.md
Yes, they can be very dangerous if executed. There are several solutions, for example:
  1. Prevent LOLBin execution by avoiding exploits (Windows/Software Updates, MS Office hardening, Adobe Reader hardening)
  2. Blocking command-line access (default-deny for shortcuts, scripts, scriptlets, unsafe files, etc.).
  3. Applying the application reputation service for PE files (like SmartScreen Application Reputation).
  4. Applying other surface reduction methods that can cut off using any LOLBin.
  5. Allowing some vectors from points 1-4, but blocking the concrete set of popular LOLBins or blocking the Internet access for other LOLBins.
Hard_Configurator Recommended Settings are focused on the remediation based on points 1-4 (PREVENTION).
If such prevention is not possible on the concrete computer, then it is necessary to apply also point 5 (BLOCKING).
 
Last edited:

EndangeredPootis

Level 10
Verified
Well-known
Sep 8, 2019
461
Run/install As Smartscreen was part of the recommended settings in the previous version(s), but in the newer version I see its Run/Install by smartscreen, is there a way to change it back to Run As Smartscreen?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Run/install As Smartscreen was part of the recommended settings in the previous version(s), but in the newer version I see its Run/Install by smartscreen, is there a way to change it back to Run As Smartscreen?
Why you do not like the "Install By SmartScreen" in the Recommended Settings?
You can change the behavior by using <More SRP...><Update Mode> = OFF
In this setting, the "Install By SmartScreen" works similarly to "Run As SmartScreen".
 

Protomartyr

Level 7
Sep 23, 2019
314
@Andy Ful

Came across something interesting when I was converting a word document to PDF and later deleting the PDF.
  • Trying to convert an existing word document to PDF using Microsoft Word 2013 would not go through.
    • The word document was under a protected folder and the PDF was going to be saved under the same directory.
    • Protection history lists WINWORD.EXE as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions is now listed: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
  • Later when trying to delete the PDF document, the deletion was blocked.
    • Protection history lists explorer.exe as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions list is now listed: C:\Windows\explorer.exe

My questions are:
  • What caused CFA to trigger these blocks in H_C 5.1.1.1/.2?
    • I did the same actions as above on Friday and they weren't blocked. I can't remember if this was before or after I updated to version 5.1.1.1/.2.
  • Do the explorer.exe and winword.exe CFA exclusions pose a security risk?
I have attached my current configuration to this post for reference. I think the only modifications I made compared to my 5.0.0.0 configuration was:
  • Enabled Harden Archivers
  • Enabled Harden Email Clients
  • Enabled Allow MSI (which turns Update Mode to OFF)
 

Attachments

  • Protomartyr.txt
    400 bytes · Views: 233

EndangeredPootis

Level 10
Verified
Well-known
Sep 8, 2019
461
Why you do not like the "Install By SmartScreen" in the Recommended Settings?
You can change the behavior by using <More SRP...><Update Mode> = OFF
In this setting, the "Install By SmartScreen" works similarly to "Run As SmartScreen".
I needed utilities such as Command Prompt to be run as admin in order to make scripts be able to work (obviously), but I didnt want to turn off the SRP or enable Run As Admin in the context menu.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top