Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
This video shows the malware already injected into the benign process. So, the infection chain is not known.
Hard_Configurator can block such malware in the earlier infection stage. The Redline stealer infection chain starts usually from the URL embedded in the email.
For example:
A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months.

The possibility of infection is when the user disables H_C protection or SmartScreen, because he/she is convinced that the file is benign and should be installed/executed.
 
F

ForgottenSeer 94654

This video shows the malware already injected into the benign process. So, the infection chain is not known.
Hard_Configurator can block such malware in the earlier infection stage. The Redline stealer infection chain starts usually from the URL embedded in the email.
For example:


The possibility of infection is when the user disables H_C protection or SmartScreen, because he/she is convinced that the file is benign and should be installed/executed.
They do not understand what a kill chain is and what disruption of the kill chain means. There should be an entire training class to teach people about this. They can handle it.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
They do not understand what a kill chain is and what disruption of the kill chain means. There should be an entire training class to teach people about this. They can handle it.
Yes, I know. But, most readers who use Hard_Configurator can understand my post.:)(y)
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

NetFramework Path.png
 
F

ForgottenSeer 94654

In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

View attachment 266019
Those paths, by default Windows security, have blocked write privileges even when you are running in an admin Windows user account. Admin privileges is only granted after selecting "Continue" in the permissions notification. The behavior is similar to UAC.
 

sypqys

Level 5
Apr 18, 2022
230
Hi !
I have some problem, when I want to launch this extension file :
ScreenWings_sZ3y9YM56I.png

how I have to do ?

I will try to set up lonely that, but if i check I return for tell you here...

Thxx
 

sypqys

Level 5
Apr 18, 2022
230
I have remove *.msp files extension it's ok, but, Hard_Configurator don't want to open if I unselect this

How I have to do for open Hard_Configurator even pass by this (firt screen capture) ?

ScreenWings_II80jLOD4r.png

ScreenWings_J0nT7m6ziQ.png

My question, why Hard_Configurator don't want to open, I am the admin ....

Since and while I have add at path whitelist C:/windows/Hard_Configurator/Hard_Configurator.exe but the problem persist... i don't know why ?
(sorry for my english I'm french, I don't know if I'm understand by you)


thx !
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Those paths, by default Windows security, have blocked write privileges even when you are running in an admin Windows user account. Admin privileges is only granted after selecting "Continue" in the permissions notification. The behavior is similar to UAC.

Understood, but in the video demo, the malware installed to that directory without the need for the user to enter credentials.
 
  • Like
Reactions: Mercenary

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

View attachment 266019

The file was not dropped here. The malware executed the original file from the Microsoft.Net directory and used process hollowing to run malicious code. The original file on the disk was not changed, but its image in the memory contains a malicious executable.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I have remove *.msp files extension it's ok, but, Hard_Configurator don't want to open if I unselect this

How I have to do for open Hard_Configurator even pass by this (firt screen capture) ?

View attachment 266022
View attachment 266023
My question, why Hard_Configurator don't want to open, I am the admin ....

Since and while I have add at path whitelist C:/windows/Hard_Configurator/Hard_Configurator.exe but the problem persist... i don't know why ?
(sorry for my english I'm french, I don't know if I'm understand by you)


thx !
What are your H_C settings? You can post here a screenshot of the H_C window. After installation, you should see the shortcuts on your Desktop. Use the Hard_Configurator shortcut from your Desktop or from Programs Menu to run H_C.

By the way, what is the path to the below folder? It looks like you downloaded a few files in UserSpace. Normally, execution in UserSpace is blocked, except if you use the InstallBySmartscreen option from the right-click Explorer menu. This will always execute the file (EXE, MSI) with SmartScreen check (even if it was not downloaded from the Internet).


1650542257108.png


This alert is intended to inform users that the Administrator policy is applied. You applied some policies by configuring H_C.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598

@sypqys

From your posts, I can recognize that you have to learn about how Windows built-in security works. Please, start from reading the H_C FAQ. It is included in the H_C manual (in the installation folder C:\Windows\Hard_Configurator). The manual and some other documents in PDF format can be accessed from the H_C window: General Help >> Documentation.
It is also good to read the info included here:
 

sypqys

Level 5
Apr 18, 2022
230

@sypqys

From your posts, I can recognize that you have to learn about how Windows built-in security works. Please, start from reading the H_C FAQ. It is included in the H_C manual (in the installation folder C:\Windows\Hard_Configurator). The manual and some other documents in PDF format can be accessed from the H_C window: General Help >> Documentation.
It is also good to read the info included here:
I have read the documentation, no entirely, but quickly, I understand more, and I have modify some things. Thxxx
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
The file was not dropped here. The malware executed the original file from the Microsoft.Net directory and used process hollowing to run malicious code. The original file on the disk was not changed, but its image in the memory contains a malicious executable.

That explains it. Thank you.
 
  • Like
Reactions: Nevi and Andy Ful

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
@Andy Ful

I was still puzzled as to "how did Andy know Process Hollowing was used?" Then after clicking the blurry image in Figure 3 and doubling it's size, I could finally just see with my gradually aging and diminishing eyesight, the RunPE task the malware uses :D

RunPE.png

Thanks again for explaining this (y)
 
F

ForgottenSeer 94654

@Andy Ful
  • Desired State Configuration (DSC) has been abandoned by Microsoft, it just has not released an official notice
  • WDAC is rumored to be heading towards abandonment as too many clients complain about the configuration and maintenance complexity; but as with SRP, AppLocker and GPO, Microsoft might solve the problem by providing pre-configured templates following NSA\CIS recommended best practices
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Andy Ful
  • Desired State Configuration (DSC) has been abandoned by Microsoft, it just has not released an official notice
  • WDAC is rumored to be heading towards abandonment as too many clients complain about the configuration and maintenance complexity; but as with SRP, AppLocker and GPO, Microsoft might solve the problem by providing pre-configured templates following NSA\CIS recommended best practices
WDAC management can be simplified just like SRP. But, WDAC is less flexible.
 
F

ForgottenSeer 94654

WDAC management can be simplified just like SRP. But, WDAC is less flexible.
WDAC can be simplified, but I do not think that will happen. The WDAC team has made it at the same level of complexity as SE Linux. The administration and maintenance is too much for many people to handle. And since Microsoft is not talking much about WDAC lately, it follows their pattern of a project that will stall or be abandoned.

WDAC can be saved by templates provided by Microsoft or CIS.

We will just have to wait and see what happens.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
WDAC can be simplified, but I do not think that will happen.

I have in mind that its management can be simplified by some developers (like me). Microsoft did not simplify the management of SRP and Applocker, so it is probable that WDAC will share a similar fate.
 
  • Like
Reactions: Nevi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top