Hard_Configurator - Windows Hardening Configurator

[wat0114]

duckduckgo puts the malicious link 5th on search results typing hard_configurator, Google puts it 3rd. At least Andy's link is first

 

[piquiteco]

I never suspected that the website about H_C would gain enough popularity, to be abused in this way. When @askalan decided to create this website, we talked about such a possibility. He is a trustworthy person and I do not know why he disappeared suddenly from MT. I lost contact with him during the COVID-19 period (it would be sad if he was a victim of COVID).

It is a possibility, during the COVID-19 pandemic between 2020/2021 I lost many friends, there were several, there were some friends who were healthy people, young people between 20 and 30 years old, it was shocking. I lost 4 aunts at once in 2020 and my only grandmother at the age of 98 in just 3 months. After these incidents I was even more sensitive to so many people who died around me and I knew these people some since my childhood, it was shocking, it was surreal, there are no words to describe it, I never imagined that young people, who contracted the new coronavirus, would die, the business was serious, I confess that, as people were dying, I was even paranoid when I was going to leave the house, a certain fear came into me, I thought I would be the next victim if I contracted this virus. I had no problems with COVID-19, but I always respected this new coronavirus, because, I knew that if I contracted COVID-19, and became chronic, it could even lead to death.

Please post here, If someone knows what can be done to prevent abusing this domain. It was "Expired" for several months (the paid subscription expired). Currently, it is legally taken by the firm that promotes ADs.

Andy you can't buy this domain or it's not for sale?

 

[Andy Ful]

Andy you can't buy this domain or it's not for sale?

This domain can be used only via the paid subscription, so the actual owner paid for it. For now, It is not for sale.

 

[ForgottenSeer 100397]

@Andy Ful

Does ConfigureDefender with Simple Windows Hardening equal Hard Configurator?

I used Hard Configurator and chose the Recommended settings. I also enabled CD High Protection with Block Executables and Firewall Hardening with Recommended HC. Do you have any suggestions? Should I use Recommended HC for Firewall Hardening with HC?

Can recommended HC settings and firewall hardening affect Windows updates, program installs/updates, and connections? Would it affect the level of comfort?

 

[Andy Ful]

@Andy Ful

Does ConfigureDefender with Simple Windows Hardening equal Hard Configurator?

No. It is similar to the weakest H_C setting profile (Windows_10_Basic_Recommended_Settings.hdc) + the H_C ConfigureDefender settings.
Anyway, this setup would be OK for most users.

I used Hard Configurator and chose the Recommended settings. I also enabled CD High Protection with Block Executables and Firewall Hardening with Recommended HC. Do you have any suggestions? Should I use Recommended HC for Firewall Hardening with HC?

Such a setup is OK. It has a good balance between security and usability.

Can recommended HC settings and firewall hardening affect Windows updates, program installs/updates, and connections?

It does not impact Windows Updates. Rarely, it can block the application installation or update (when scripts are used).
FirewallHardening in your settings blocks some Microsoft telemetry.
To solve possible problems, you must look from time to time at the H_C security log and FirewallHardening log.

Would it affect the level of comfort?

Any hardening can affect the level of comfort. That level will depend on how you use your computer.

 

[Andy Ful]

How an experienced guy explained H_C to his aunt.



By the way, it is a nice (but long) video. The first part (15 minutes) is about O&O Shutup and hardening. The next part (25 minutes) is about H_C.

Edit.
From his videos, I can guess that the author is interested in Blue and Red Teaming.

 

[Digmor Crusher]

No comprende dat video.

 

[Andy Ful]

No comprende dat video.

You are probably not his aunt.
But seriously, most of what he is doing can be understood without listening to the comments in French.

 

[plat]

This can be translated to English or hopefully your lang. of choice via the cc button. it's not perfect though.

Spoiler

 

[Tiamati]

Bitdefender trafficlight has recognized https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.1.1.1.exe as malicious

 

[Andy Ful]

Bitdefender trafficlight has recognized https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.1.1.1.exe as malicious

I submitted the false positive to Bitdefender. They probably flagged this link due to NirSoft tool FullEventLogView. NirSoft tools are recognized by Bitdefender Enterprise products as HackTools.

 

[Andy Ful]

It seems that someone created malware (DarkComet family) that uses a modified Hard_Configurator installer. This malware is unsigned and slightly larger.
Fortunately, even the original (made by me) unsigned version of Hard_Configurator usually triggers the AV detections, so I must always submit the H_C executables to AV vendors for whitelisting. The malware creator probably lost time without much gain.
Here is the VT link with current detections:
VirusTotal

The original Hard_Configurator is:

• digitally signed,
• accepted by SmartScreen + PUA in Edge and Explorer,
• accepted by Microsoft Defender (max settings),
• accepted by Smart App Control,
• accepted by all popular AVs (with the exception of the Enterprise version of Bitdefender which flags the NirSoft FullEventLogView as PUA).

Edit.
The VT info is insufficient, but it is possible that the original H_C is embedded in the malware body. In this case, the malware can run the malicious code and parallelly run the original H_C to masquerade the attack. Anyway, the malware is still unsigned, not accepted by SmartScreen and SAC, etc., but as the 0-day, it could fool some AVs.

 

[Azazel]

Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.

 

[ScandinavianFish]

Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.

From my experience testing it, it does not completely prevent malware from running Powershell, as I have found it to be running with high CPU usage when launching malware (though I am unsure if Powershell is actually doing anything, as you can't see what happens when the scripts are executed.), despite selecting powershell.exe in sponsors and enabling prevent Powershell script execution, though it does prevent ps1 files from being executed on the disk.

 

[ForgottenSeer 103564]

From my experience testing it, it does not completely prevent malware from running Powershell, as I have found it to be running with high CPU usage when launching malware (though I am unsure if Powershell is actually doing anything, as you can't see what happens when the scripts are executed.), despite selecting powershell.exe in sponsors and enabling prevent Powershell script execution, though it does prevent ps1 files from being executed on the disk.

Wireshark would be your best friend. Packet capture and analysis as the fileless malware establishes persistence via a back door.

 

[Andy Ful]

Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.

I did many times. SRP has been tested for many years by many people. The scripts are blocked, so they cannot deliver anything.

You can easily test it:

1. Create any *.txt file on the desktop and rename its extension txt ---> bat (Explorer must be tweaked to show file extensions).
2. Try to execute this file with a mouse click.
3. Try to execute it from the CMD console (do not use Administrator CMD).
4. Look into the H_C log of blocked events (the blocks will be visible in the log).
5. Repeat points 1-4 for other script extensions (CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).

If you ask if SRP can block all possible fileless attack vectors, then the answer is negative. But, almost all vectors can be covered on SUA with the H_C MAX settings.
When using the Recommended_Settings, one has to also use ConfigureDefender, FirewallHardening, and DocumentsAntiExploit for maximum protection.

 

[upnorth]

Has anyone actually tested if hard configurator (SRP) disturbs chain execution of fileless malware (scripts) from delivering final payload.

A very fair and correct question.

I did many times. SRP has been tested for many years by many people. The scripts are blocked, so they cannot deliver anything.

You can easily test it:

1. Create any *.txt file on the desktop and rename its extension txt ---> bat (Explorer must be tweaked to show file extensions).
2. Try to execute this file with a mouse click.
3. Try to execute it from the CMD console (do not use Administrator CMD).
4. Look into the H_C log of blocked events (the blocks will be visible in the log).
5. Repeat points 1-4 for other script extensions (CMD, JS, JSE, VBS, VBE, WSF, WSH, PS1).

If you ask if SRP can block all possible fileless attack vectors, then the answer is negative. But, almost all vectors can be covered on SUA with the H_C MAX settings.
When using the Recommended_Settings, one has to also use ConfigureDefender, FirewallHardening, and DocumentsAntiExploit.

Are those test script files 100% empty = dummy rounds?


Another question. Have you seen or heard any updates on your previous domain that went malicious? That I can and will test soon enough.

 

[Andy Ful]

Are those test script files 100% empty = dummy rounds?

The script content is irrelevant for SRP or policy that blocks PS1 scripts. The script with empty content will be blocked as well. Scripts can be whitelisted in safe locations.

Another question. Have you seen or heard any updates on your previous domain that went malicious? That I can and will test soon enough.

I tested that domain a few months ago. It redirected me to random websites with ADs. This domain is blacklisted by Avast, Avira, Bitdefender, Fortinet, G-Data, Sophos, and Vipre. But it is allowed by Dr. Web, Emsisoft, Eset, Kaspersky, and Webroot.

VirusTotal

VirusTotal

www.virustotal.com

People should avoid it even if it would not contain malicious content. That website can be sold to anyone.

One correction.

From the beginning, I used only one place to develop Hard_Configurator:

GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

The domain Hard-Configurator.com was not my domain. This was a project of @askalan/AlanOstaszewski
(MalwareTips member, inactive for several months). He bought the domain and coded the website. The project can be found on GitLab:

Hard_Configurator — Home

The website on the Hard-Configurator.com domain was actively supported by me and several MT members (text contents, and small donations). I tried to buy it from @askalan but I lost contact with him during the COVID-19 period. The website expired several months ago and a few months ago the domain was bought by someone else (does not host the @askalan project anymore).

 

[Andy Ful]

Azazel and upnorth,​

The H_C was tested on MT some time ago (AV disabled), before MT staff decided to test only AVs on default settings. Many samples were fileless:

Search results for query: Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)

malwaretips.com

Watching these tests can be for some people kinda boring because all script samples were simply blocked. But of course, the MT tests did not cover all fileless attack vectors (like exploits, etc.).

 

[sypqys]

Hello !

what is this "turn ON advanced SRP logging" ?
if I enable, whats happen ? Windows 11 stay usable easily ?

Thanks