Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
This video shows the malware already injected into the benign process. So, the infection chain is not known.
Hard_Configurator can block such malware in the earlier infection stage. The Redline stealer infection chain starts usually from the URL embedded in the email.
For example:
A malicious and convincing message is sent along with an URL responsible for downloading the binary file installed on the target machine. Healthcare (taking advantage of the COVID-19 situation) and manufacturing were two industry sectors affected by this threat in the last few months.
Click to expand...

Unmasking Redline: The Rising Malware Threat from Russia | Infosec

Dive into our full analysis of Redline, the prominent malware impacting users worldwide and trending on Russian forums.
resources.infosecinstitute.com resources.infosecinstitute.com

The possibility of infection is when the user disables H_C protection or SmartScreen, because he/she is convinced that the file is benign and should be installed/executed.
 
  • Like
  • Thanks
Reactions: Nevi, wat0114, mkoundo and 1 other person
F

ForgottenSeer 94654

Andy Ful said:
This video shows the malware already injected into the benign process. So, the infection chain is not known.
Hard_Configurator can block such malware in the earlier infection stage. The Redline stealer infection chain starts usually from the URL embedded in the email.
For example:

Unmasking Redline: The Rising Malware Threat from Russia | Infosec

Dive into our full analysis of Redline, the prominent malware impacting users worldwide and trending on Russian forums.
resources.infosecinstitute.com resources.infosecinstitute.com

The possibility of infection is when the user disables H_C protection or SmartScreen, because he/she is convinced that the file is benign and should be installed/executed.
Click to expand...
They do not understand what a kill chain is and what disruption of the kill chain means. There should be an entire training class to teach people about this. They can handle it.
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
lothar91 said:
They do not understand what a kill chain is and what disruption of the kill chain means. There should be an entire training class to teach people about this. They can handle it.
Click to expand...
Yes, I know. But, most readers who use Hard_Configurator can understand my post.:)(y)
 
  • Like
Reactions: Nevi, wat0114, mkoundo and 1 other person
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

NetFramework Path.png
 
  • Like
Reactions: Nevi, Andy Ful and mkoundo
F

ForgottenSeer 94654

wat0114 said:
In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

View attachment 266019
Click to expand...
Those paths, by default Windows security, have blocked write privileges even when you are running in an admin Windows user account. Admin privileges is only granted after selecting "Continue" in the permissions notification. The behavior is similar to UAC.
 
sypqys

sypqys

Level 5
Apr 18, 2022
217
Hi !
I have some problem, when I want to launch this extension file :
ScreenWings_sZ3y9YM56I.png

how I have to do ?

I will try to set up lonely that, but if i check I return for tell you here...

Thxx
 
sypqys

sypqys

Level 5
Apr 18, 2022
217
I have remove *.msp files extension it's ok, but, Hard_Configurator don't want to open if I unselect this

How I have to do for open Hard_Configurator even pass by this (firt screen capture) ?

ScreenWings_II80jLOD4r.png

ScreenWings_J0nT7m6ziQ.png

My question, why Hard_Configurator don't want to open, I am the admin ....

Since and while I have add at path whitelist C:/windows/Hard_Configurator/Hard_Configurator.exe but the problem persist... i don't know why ?
(sorry for my english I'm french, I don't know if I'm understand by you)


thx !
 
Last edited:
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
lothar91 said:
Those paths, by default Windows security, have blocked write privileges even when you are running in an admin Windows user account. Admin privileges is only granted after selecting "Continue" in the permissions notification. The behavior is similar to UAC.
Click to expand...

Understood, but in the video demo, the malware installed to that directory without the need for the user to enter credentials.
 
  • Like
Reactions: Mercenary
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
wat0114 said:
In the video posted, it shows the malicious executable dropped within the Microsoft.Net directory, but I was unable to paste an executable (harmless) anywhere within this path without Administrative credentials.

View attachment 266019
Click to expand...

The file was not dropped here. The malware executed the original file from the Microsoft.Net directory and used process hollowing to run malicious code. The original file on the disk was not changed, but its image in the memory contains a malicious executable.
 
  • Like
  • Thanks
Reactions: Nevi, Mercenary, wat0114 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
sypqys said:
I have remove *.msp files extension it's ok, but, Hard_Configurator don't want to open if I unselect this

How I have to do for open Hard_Configurator even pass by this (firt screen capture) ?

View attachment 266022
View attachment 266023
My question, why Hard_Configurator don't want to open, I am the admin ....

Since and while I have add at path whitelist C:/windows/Hard_Configurator/Hard_Configurator.exe but the problem persist... i don't know why ?
(sorry for my english I'm french, I don't know if I'm understand by you)


thx !
Click to expand...
What are your H_C settings? You can post here a screenshot of the H_C window. After installation, you should see the shortcuts on your Desktop. Use the Hard_Configurator shortcut from your Desktop or from Programs Menu to run H_C.

By the way, what is the path to the below folder? It looks like you downloaded a few files in UserSpace. Normally, execution in UserSpace is blocked, except if you use the InstallBySmartscreen option from the right-click Explorer menu. This will always execute the file (EXE, MSI) with SmartScreen check (even if it was not downloaded from the Internet).


1650542257108.png


This alert is intended to inform users that the Administrator policy is applied. You applied some policies by configuring H_C.
 
Last edited:
  • Like
Reactions: plat, Nevi, Mercenary and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484

@sypqys

From your posts, I can recognize that you have to learn about how Windows built-in security works. Please, start from reading the H_C FAQ. It is included in the H_C manual (in the installation folder C:\Windows\Hard_Configurator). The manual and some other documents in PDF format can be accessed from the H_C window: General Help >> Documentation.
It is also good to read the info included here:

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com hard-configurator.com
 
  • Like
Reactions: Nevi, Mercenary and sypqys
sypqys

sypqys

Level 5
Apr 18, 2022
217
Andy Ful said:

@sypqys

From your posts, I can recognize that you have to learn about how Windows built-in security works. Please, start from reading the H_C FAQ. It is included in the H_C manual (in the installation folder C:\Windows\Hard_Configurator). The manual and some other documents in PDF format can be accessed from the H_C window: General Help >> Documentation.
It is also good to read the info included here:

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com hard-configurator.com
Click to expand...
I have read the documentation, no entirely, but quickly, I understand more, and I have modify some things. Thxxx
 
  • Like
Reactions: Nevi, Mercenary, Andy Ful and 1 other person
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
Andy Ful said:
The file was not dropped here. The malware executed the original file from the Microsoft.Net directory and used process hollowing to run malicious code. The original file on the disk was not changed, but its image in the memory contains a malicious executable.
Click to expand...

That explains it. Thank you.
 
  • Like
Reactions: Nevi and Andy Ful
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
@Andy Ful

I was still puzzled as to "how did Andy know Process Hollowing was used?" Then after clicking the blurry image in Figure 3 and doubling it's size, I could finally just see with my gradually aging and diminishing eyesight, the RunPE task the malware uses :D

RunPE.png

Thanks again for explaining this (y)
 
  • Like
Reactions: Nevi, Mercenary, Andy Ful and 1 other person
F

ForgottenSeer 94654

@Andy Ful
  • Desired State Configuration (DSC) has been abandoned by Microsoft, it just has not released an official notice
  • WDAC is rumored to be heading towards abandonment as too many clients complain about the configuration and maintenance complexity; but as with SRP, AppLocker and GPO, Microsoft might solve the problem by providing pre-configured templates following NSA\CIS recommended best practices
 
  • Like
Reactions: Nevi, Mercenary, Trooper and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
lothar91 said:
@Andy Ful
  • Desired State Configuration (DSC) has been abandoned by Microsoft, it just has not released an official notice
  • WDAC is rumored to be heading towards abandonment as too many clients complain about the configuration and maintenance complexity; but as with SRP, AppLocker and GPO, Microsoft might solve the problem by providing pre-configured templates following NSA\CIS recommended best practices
Click to expand...
WDAC management can be simplified just like SRP. But, WDAC is less flexible.
 
  • Like
Reactions: Nevi, Mercenary and Trooper
F

ForgottenSeer 94654

Andy Ful said:
WDAC management can be simplified just like SRP. But, WDAC is less flexible.
Click to expand...
WDAC can be simplified, but I do not think that will happen. The WDAC team has made it at the same level of complexity as SE Linux. The administration and maintenance is too much for many people to handle. And since Microsoft is not talking much about WDAC lately, it follows their pattern of a project that will stall or be abandoned.

WDAC can be saved by templates provided by Microsoft or CIS.

We will just have to wait and see what happens.
 
  • Like
Reactions: Nevi, Mercenary and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
lothar91 said:
WDAC can be simplified, but I do not think that will happen.
Click to expand...

I have in mind that its management can be simplified by some developers (like me). Microsoft did not simplify the management of SRP and Applocker, so it is probable that WDAC will share a similar fate.
 
  • Like
Reactions: Nevi

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,431
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,115
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top