Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

maybe this is interesting for you, @andy:

LOLBAS

lolbas-project.github.io

Yes, it is still very interesting to me. I inspected LOLBins when creating FirewallHardening to see which LOLBins can be used to download/execute something from the Internet.

I noticed the LOLBAS on GitHub about two years ago:

GitHub - api0cradle/LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - api0cradle/LOLBAS

github.com

This website was next transferred to the new website:
LOLBAS-Project/LOLBAS
and to the new web portal:
LOLBAS

 

[Ink]

Is Mac and Linux affected by LOLBins, LOLLibs, LOLScripts etc?

 

[Andy Ful]

Is Mac and Linux affected by LOLBins, LOLLibs, LOLScripts etc?

Unix:

GTFOBins

gtfobins.github.io

LOLBins were used in the wild also on Linux and Mac:

What are LOLBins? | How Attackers Use LOLBins?

Learn about LOLBins, how attackers use them in fileless attacks, examples of such attacks, why security researchers are concerned, and detection methods.

www.sentinelone.com

Lazarus APT campaign targetted both macOS and Windows users via Word documents:

Lazarus APT Targets Mac Users with Poisoned Word Document - SentinelLabs

Threat actors have the know-how to develop campaigns that target your weakest link. Learn how Lazarus APT took their malware to Apple's macOS platform.

labs.sentinelone.com

 

[rndmblk]

Sorry if its answered in the thread (I searched but may not have used the right terms) but is there a way to donate to @Andy Ful to help a little with the costs of maintaining H_C?

 

[Digmor Crusher]

He has said that he does not want any donations. Too bad, I was going to donate $100,000.

 

[Andy Ful]

Sorry if its answered in the thread (I searched but may not have used the right terms) but is there a way to donate to @Andy Ful to help a little with the costs of maintaining H_C?

He has said that he does not want any donations. Too bad, I was going to donate $100,000.

Ha, ha - there are so many people involved in this project that it would be hard to split the money.
But seriously, there is no need to donate H_C. I can manage the current costs related to buying digital certificate. Furthermore, there is nothing new in Windows (for a long time) which would make me to do important changes in the code.

Anyway, there is another project made by @askalan (MT member) who created the website dedicated to H_C.
Homepage - Hard_Configurator (hard-configurator.com)
Some MT members supported this project by translating the texts or donating. It would be great to support his project (just PM to the author for details).

 

[Overkill]

How do you exclude programs from default deny?

 

[oldschool]

How do you exclude programs from default deny?

Use the log to check for blocks and whitelist by path or hash via GUI. It's all there in one nice package.

 

[Andy Ful]

How do you exclude programs from default deny?

As @oldschool has already mentioned:

1. Checking the Log ---> use <Tools> <Blocked Events / Security Logs>

2. Use <Whitelist By Path> to exclude/whitelist Folders or Files by path or <Whitelist By Hash> to exclude/whitelist files by hash.

 

[nadis]

I noticed that saving a profile doesn't include the firewall rules. Is there another way to export and import those rules in H_C?

 

[ForgottenSeer 85179]

With my new pc I found a bug with "block powershell scripts":
If it's disabled, the powershell policy is still on "restricted" like it is with protection on.

This means script execution is never possible. It's not a bug in H_C I guess but a feature from Windows which set the policy to restricted by default.
Anyway H_C should change the policy to "bypass" if protection is disabled.

I test this with powershell command
Get-ExecutionPolicy

 

[Andy Ful]

I noticed that saving a profile doesn't include the firewall rules. Is there another way to export and import those rules in H_C?

The FirewallHardening and ConfigureDefender are external applications integrated into the H_C GUI. For now, they do not support exporting/importing the settings. Anyway, the configuration is usually quick and simple.

 

[Andy Ful]

With my new pc I found a bug with "block powershell scripts":
If it's disabled, the powershell policy is still on "restricted" like it is with protection on.

This means script execution is never possible. It's not a bug in H_C I guess but a feature from Windows which set the policy to restricted by default.

Yes, it is not a bug. Microsoft chose "Restricted" as the default setting - it is not an Administrator Policy. This setting can be bypassed with standard rights to run scripts by a command-line without user interaction. So, any malware can run PowerShell scripts without a problem, and the PowerShell scripts can be accidentally run by the user via BAT, CMD, Windows Script Host, shortcuts, etc.

Anyway H_C should change the policy to "bypass" if protection is disabled.

I test this with powershell command
Get-ExecutionPolicy

Let's suppose that you use Windows standard settings + the H_C setting <Block PowerShell Scripts> = ON. When you will run the command get-executionpolicy -list in the Powershell console, then you will see the full list of PowerShell restrictions, like the below:

Scope ExecutionPolicy
----- ---------------
MachinePolicy Restricted <--------------- This comes from the H_C setting
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Restricted <---------------- This is the default Windows setting

As it can be seen the H_C setting does not overwrite the default Windows setting, but only overrides it.
When you set <Block PowerShell Scripts> = OFF in H_C, then the settings will look like (PowerShell console has to be closed and run again):

Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined <--------------- This comes from the H_C setting
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Restricted <---------------- This is the default Windows setting

 

[nadis]

The FirewallHardening and ConfigureDefender are external applications integrated into the H_C GUI. For now, they do not support exporting/importing the settings. Anyway, the configuration is usually quick and simple.

I see. I have lots of custom entries, so that would be nice to have. Also nice would be the ability to select multiple files at once (with Ctrl) or even folders for the firewall list.


BTW, there's a bug/annoyance: if SmartScreen is disabled in Windows before H_C is installed/run, the "Install by SmartScreen" entry stays in the context menu and can't be removed without enabling SmartScreen in Windows first. It also stays there after uninstalling H_C.

 

[Andy Ful]

I see. I have lots of custom entries, so that would be nice to have. Also nice would be the ability to select multiple files at once (with Ctrl) or even folders for the firewall list.


BTW, there's a bug/annoyance: if SmartScreen is disabled in Windows before H_C is installed/run, the "Install by SmartScreen" entry stays in the context menu and can't be removed without enabling SmartScreen in Windows first. It also stays there after uninstalling H_C.

I have a problem to reproduce your issue. I disabled SmartScreen for Explorer from Windows Security Center. Next installed H_C ver. 5.1.1.2 and applied the Recommended Settings. The alert was shown and SmartScreen was automatically enabled. Next uninstalled H_C. No "Install By SmartScreen" in the context menu.

Edit.1
I noticed that the option <Forced SmartScreen> is grayed (it should not), but this issue disappears after running H_C again.

Edit.
When H_C is installed with disabled SmartScreen without choosing the "Recommended Settings", the option <Forced SmartScreen> is grayed and it cannot be changed manually or by loading a predefined setting profile. In this case, the "Install By SmartScreen" entry is not added to the Explorer context menu.

 

[Andy Ful]

@nadis,

Finally, I figured out how this issue can occur. If one disables SmartScreen not from Windows Security Center but via GPO or another way that changes the SmartScreen Policy, then H_C thinks initially that the SmartScreen is enabled. So, the "Install By SmartScreen" entry is added. After running H_C again, it recognizes that SmartScreen is disabled, but does not remove the "Install By SmartScreen" entry from the registry. I will think about what to do with it. I can force the H_C to remove the Policy or show the alert that SmartScreen is disabled by the Administrator.

 

[nadis]

Yeah, sorry, I should have made it clear that it was disabled via GP. I don't think disabling it via "Windows Security" is permanent, at least not on the latest version of Windows.

Regarding the "Install by SmartScreen" functionality in general: It's a significant change of the UI, so I would only add/enable it with explicit user consent. Whatever you decide, as long as the user gets an option it's good enough I think.

 

[Andy Ful]

Regarding the "Install by SmartScreen" functionality in general: It's a significant change of the UI, ...

This is the most innocent change that H_C makes in the Registry and Windows functionality. Furthermore, "Install By SmartScreen" is the heart of most H_C setting profiles and applying any setting profile already requires user consent.
Anyway, the fact that "Install By SmartScreen" is not fully removed when uninstalling H_C is a bug. I simply did not take into account that someone could first disable SmartScreen by Admin Policies and next would want to use H_C which is based mostly on SmartScreen. Thanks for pointing it out - I will fix it in the next version of H_C.
Unfortunately, the H_C settings are not compatible with GPO restrictions due to the GPO refresh feature (this is noted in the H_C help and manual). So, GPO restrictions can spoil some functions of H_C.

By the way, you can simply use the Windows Security Center to disable SmartScreen. It will remain disabled (not a part of WD Tamper Protection).

 

[Nagisa]

Hey @Andy Ful

It seems like I'm not able to whitelist only specific file types that are present in subfolders, but not the main folder. Like the below:

C:\EEK\*\*.exe




C:\EEK\executable.exe  --> should be blocked
C:\EEK\folder\executable.exe ---> should not be blocked
C:\EEK\folder\folder2\executable.exe ---> should be blocked
C:\EEK\folder\executable.msi ---> should be blocked

is this a bug or something H_C lacks off?

 

[Andy Ful]

Hey @Andy Ful

It seems like I'm not able to whitelist only specific file types that are present in subfolders, but not the main folder. Like the below:

C:\EEK\*\*.exe




C:\EEK\executable.exe  --> should be blocked
C:\EEK\folder\executable.exe ---> should not be blocked
C:\EEK\folder\folder2\executable.exe ---> should be blocked
C:\EEK\folder\executable.msi ---> should be blocked

is this a bug or something H_C lacks off?

I am not sure what you want to do. If you applied the rule which whitelists:
C:\EEK\*\*.exe
Then all *.exe files will be allowed in C:\EEK\folder\, but not in the C:\EEK\ , C:\EEK\folder\folder2\ , and not in the deeper subfolders. When whitelisting a specific filetype in the particular folder, Windows built-in SRP forbids replacing the asterisk with a string that includes a backslash.
For whitelisting details, please look at the examples in the article: "Part 3 - How do Software Restriction Policies work.pdf " included in the Hard_Configurator folder.

If you want to whitelist only a specific file type in a particular folder and its nested subfolders, then you have to use several rules:
C:\EEK\*\*.exe
C:\EEK\*\*\*.exe
C:\EEK\*\*\*\*.exe
etc.