Hard_Configurator - Windows Hardening Configurator

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I never suspected that the website about H_C would gain enough popularity, to be abused in this way. When @askalan decided to create this website, we talked about such a possibility. He is a trustworthy person and I do not know why he disappeared suddenly from MT. I lost contact with him during the COVID-19 period (it would be sad if he was a victim of COVID).
It is a possibility, during the COVID-19 pandemic between 2020/2021 I lost many friends, there were several, there were some friends who were healthy people, young people between 20 and 30 years old, it was shocking. I lost 4 aunts at once in 2020 and my only grandmother at the age of 98 in just 3 months. After these incidents I was even more sensitive to so many people who died around me and I knew these people some since my childhood, it was shocking, it was surreal, there are no words to describe it, I never imagined that young people, who contracted the new coronavirus, would die, the business was serious, I confess that, as people were dying, I was even paranoid when I was going to leave the house, a certain fear came into me, I thought I would be the next victim if I contracted this virus. I had no problems with COVID-19, but I always respected this new coronavirus, because, I knew that if I contracted COVID-19, and became chronic, it could even lead to death.😢
Please post here, If someone knows what can be done to prevent abusing this domain. It was "Expired" for several months (the paid subscription expired). Currently, it is legally taken by the firm that promotes ADs.
Andy you can't buy this domain or it's not for sale? (y)
 
F

ForgottenSeer 100397

@Andy Ful

Does ConfigureDefender with Simple Windows Hardening equal Hard Configurator?

I used Hard Configurator and chose the Recommended settings. I also enabled CD High Protection with Block Executables and Firewall Hardening with Recommended HC. Do you have any suggestions? Should I use Recommended HC for Firewall Hardening with HC?

Can recommended HC settings and firewall hardening affect Windows updates, program installs/updates, and connections? Would it affect the level of comfort?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
@Andy Ful

Does ConfigureDefender with Simple Windows Hardening equal Hard Configurator?

No. It is similar to the weakest H_C setting profile (Windows_10_Basic_Recommended_Settings.hdc) + the H_C ConfigureDefender settings.
Anyway, this setup would be OK for most users.

I used Hard Configurator and chose the Recommended settings. I also enabled CD High Protection with Block Executables and Firewall Hardening with Recommended HC. Do you have any suggestions? Should I use Recommended HC for Firewall Hardening with HC?

Such a setup is OK. It has a good balance between security and usability.

Can recommended HC settings and firewall hardening affect Windows updates, program installs/updates, and connections?

It does not impact Windows Updates. Rarely, it can block the application installation or update (when scripts are used).
FirewallHardening in your settings blocks some Microsoft telemetry.
To solve possible problems, you must look from time to time at the H_C security log and FirewallHardening log.

Would it affect the level of comfort?

Any hardening can affect the level of comfort. That level will depend on how you use your computer.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
How an experienced guy explained H_C to his aunt. :)



By the way, it is a nice (but long) video. The first part (15 minutes) is about O&O Shutup and hardening. The next part (25 minutes) is about H_C.(y)

Edit.
From his videos, I can guess that the author is interested in Blue and Red Teaming.
 
Last edited:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
This can be translated to English or hopefully your lang. of choice via the cc button. it's not perfect though. :)

hard config.PNG
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
It seems that someone created malware (DarkComet family) that uses a modified Hard_Configurator installer. This malware is unsigned and slightly larger.
Fortunately, even the original (made by me) unsigned version of Hard_Configurator usually triggers the AV detections, so I must always submit the H_C executables to AV vendors for whitelisting. The malware creator probably lost time without much gain.:)
Here is the VT link with current detections:
VirusTotal

The original Hard_Configurator is:
  • digitally signed,
  • accepted by SmartScreen + PUA in Edge and Explorer,
  • accepted by Microsoft Defender (max settings),
  • accepted by Smart App Control,
  • accepted by all popular AVs (with the exception of the Enterprise version of Bitdefender which flags the NirSoft FullEventLogView as PUA).
Edit.
The VT info is insufficient, but it is possible that the original H_C is embedded in the malware body. In this case, the malware can run the malicious code and parallelly run the original H_C to masquerade the attack. Anyway, the malware is still unsigned, not accepted by SmartScreen and SAC, etc., but as the 0-day, it could fool some AVs.
 
Last edited:
A

Azazel

Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.
 
  • Like
Reactions: upnorth

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.
From my experience testing it, it does not completely prevent malware from running Powershell, as I have found it to be running with high CPU usage when launching malware (though I am unsure if Powershell is actually doing anything, as you can't see what happens when the scripts are executed.), despite selecting powershell.exe in sponsors and enabling prevent Powershell script execution, though it does prevent ps1 files from being executed on the disk.
 
  • Like
Reactions: simmerskool
F

ForgottenSeer 103564

From my experience testing it, it does not completely prevent malware from running Powershell, as I have found it to be running with high CPU usage when launching malware (though I am unsure if Powershell is actually doing anything, as you can't see what happens when the scripts are executed.), despite selecting powershell.exe in sponsors and enabling prevent Powershell script execution, though it does prevent ps1 files from being executed on the disk.
Wireshark would be your best friend. Packet capture and analysis as the fileless malware establishes persistence via a back door.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.
I did many times. SRP has been tested for many years by many people. The scripts are blocked, so they cannot deliver anything.

You can easily test it:
  1. Create any *.txt file on the desktop and rename its extension txt ---> bat (Explorer must be tweaked to show file extensions).
  2. Try to execute this file with a mouse click.
  3. Try to execute it from the CMD console (do not use Administrator CMD).
  4. Look into the H_C log of blocked events (the blocks will be visible in the log).
  5. Repeat points 1-4 for other script extensions (CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).
If you ask if SRP can block all possible fileless attack vectors, then the answer is negative. But, almost all vectors can be covered on SUA with the H_C MAX settings.
When using the Recommended_Settings, one has to also use ConfigureDefender, FirewallHardening, and DocumentsAntiExploit for maximum protection.
 
Last edited:

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.
A very fair and correct question.

I did many times. SRP has been tested for many years by many people. The scripts are blocked, so they cannot deliver anything.

You can easily test it:
  1. Create any *.txt file on the desktop and rename its extension txt ---> bat (Explorer must be tweaked to show file extensions).
  2. Try to execute this file with a mouse click.
  3. Try to execute it from the CMD console (do not use Administrator CMD).
  4. Look into the H_C log of blocked events (the blocks will be visible in the log).
  5. Repeat points 1-4 for other script extensions (CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).
If you ask if SRP can block all possible fileless attack vectors, then the answer is negative. But, almost all vectors can be covered on SUA with the H_C MAX settings.
When using the Recommended_Settings, one has to also use ConfigureDefender, FirewallHardening, and DocumentsAntiExploit.
Are those test script files 100% empty = dummy rounds? :unsure:


Another question. Have you seen or heard any updates on your previous domain that went malicious? That I can and will test soon enough.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Are those test script files 100% empty = dummy rounds? :unsure:

The script content is irrelevant for SRP or policy that blocks PS1 scripts. The script with empty content will be blocked as well. Scripts can be whitelisted in safe locations.

Another question. Have you seen or heard any updates on your previous domain that went malicious? That I can and will test soon enough.

I tested that domain a few months ago. It redirected me to random websites with ADs. This domain is blacklisted by Avast, Avira, Bitdefender, Fortinet, G-Data, Sophos, and Vipre. But it is allowed by Dr. Web, Emsisoft, Eset, Kaspersky, and Webroot.
People should avoid it even if it would not contain malicious content. That website can be sold to anyone.

One correction.

From the beginning, I used only one place to develop Hard_Configurator:

The domain Hard-Configurator.com was not my domain. This was a project of @askalan/AlanOstaszewski
(MalwareTips member, inactive for several months). He bought the domain and coded the website. The project can be found on GitLab:
The website on the Hard-Configurator.com domain was actively supported by me and several MT members (text contents, and small donations). I tried to buy it from @askalan but I lost contact with him during the COVID-19 period. The website expired several months ago and a few months ago the domain was bought by someone else (does not host the @askalan project anymore).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592

Azazel and upnorth,​

The H_C was tested on MT some time ago (AV disabled), before MT staff decided to test only AVs on default settings. Many samples were fileless:

Watching these tests can be for some people kinda boring because all script samples were simply blocked. But of course, the MT tests did not cover all fileless attack vectors (like exploits, etc.).
 
Last edited:
  • Like
Reactions: simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top