Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Freki123 said:
Would it be a good Idea to add two new lolbins: update.exe and squirrel.exe ?
www.bleepingcomputer.com

Microsoft Teams Can Be Used to Download and Run Malicious Packages

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.
www.bleepingcomputer.com www.bleepingcomputer.com

Edit: My guess is Discordapp.com (desktop version) also use them. Atleast there is an squirrel.exe and update.exe in the folder.
Click to expand...
These applications rely on the open source Squirrel project to manage installation and updating routines. They can be used by many applications, and their paths can be different. I tested these executables from the newest Discord and they can download the payload (.nupkg package).
Blocking them will block the application updates, so it has to be an individual decision. The best method would be manually blocking the concrete paths of update.exe and squirrel.exe by Firewall Hardening tool.
It is worth to remember that LOLBins can be dangerous only if something was already exploited. This is hardly possible on the well updated system/software on Windows 10.
 
Last edited:
  • Like
  • Thanks
Reactions: shmu26, simmerskool, oldschool and 3 others
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Thanks for your detailed explanation I really find them helpful :)
After you mentioned Firewall Hardening I wanted to take a look at your beta Firewall Hardening Tool.
x86 Version VT 7/66, Opswat with 3/37
x64 Version VT 3/68, Opswat 1/37 (Avira - read the note about the x86 version)
I know they will be FP but I got to admit it scared me off :D
 
  • Like
Reactions: Jack, shmu26, Andy Ful and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Marana said:
@Andy Ful Out of curiosity, did you write that H_C + OSA would not be a good idea because you see a potential conflict, or just because there would be unnecessary overlap / "Defense in superfluous depth"?
Click to expand...
Some advanced OSA settings are in conflict with some H_C features (for example with ConfigureDefender). Both overlap a lot. H_C is more restrictive for the processes initiated with standard rights. Using them both is possible only for advanced users who understand well all their features.:giggle:
 
  • Like
Reactions: simmerskool, oldschool and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Marana said:
Ah, now I see... (I hope). However with default settings OSA would most likely not conflict with H_C / ConfigureDefender, or what do you think?
Click to expand...
It will work well. You will probably never see OSA to work on default settings, because H_C is far more restrictive as default-deny setup.(y)
 
  • Like
Reactions: simmerskool, oldschool and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
shmu26 said:
Could you give us some details on that?
Click to expand...
Advanced settings in OSArmor can block PowerShell actions required by ConfigureDefender.

Andy Ful said:
Advanced settings in OSArmor can block PowerShell actions required by ConfigureDefender.
Click to expand...
ConfigureDefender is whitelisted in OSA, but if you block PowerShell, then ConfigureDefender cannot work.
 
  • Like
Reactions: simmerskool, stefanos, oldschool and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
ConfigureDefender is whitelisted in OSA, but if you block PowerShell, then ConfigureDefender cannot work.
Click to expand...
Okay, but that's not exactly a showstopper, because you will see those popups from OSA telling you that powershell is blocked, and you can just disable OSA for a few minutes when you run ConfigureDefender. Anything more subtle that people should know about?
 
  • Like
Reactions: simmerskool, stefanos, oldschool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
shmu26 said:
Okay, but that's not exactly a showstopper, because you will see those popups from OSA telling you that powershell is blocked, and you can just disable OSA for a few minutes when you run ConfigureDefender. Anything more subtle that people should know about?
Click to expand...
I do not know. I did not test OSArmor thoroughly. Many options are not documented, so this is a task for the user who runs them both for a long time. The best practice would be turn off OSArmor > run H_C and apply changes > turn on OSArmor again.(y)
 
  • Like
Reactions: simmerskool, oldschool, blackice and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
I do not know. I did not test OSArmor thoroughly. Many options are not documented, so this is a task for the user who runs them both for a long time. The best practice would be turn off OSArmor > run H_C and apply changes > turn on OSArmor again.(y)
Click to expand...
Got it. There is always the possibility that OSA advanced settings might will prevent H_C configuration changes from being properly implemented.
 
  • Like
Reactions: simmerskool, Andy Ful and oldschool
Marana

Marana

Level 1
Verified
Jan 21, 2018
48
Andy Ful said:
It will work well. You will probably never see OSA to work on default settings, because H_C is far more restrictive as default-deny setup.(y)
Click to expand...
Yeah, that's what I'd expect. I have been running SSRP for years and configured WD via GPO, but it seems to me now that H_C might have become a more preferable solution that could replace them both.

One reason I'm interested in running both OSA and H_C is that AFAIK the MS Office Anti-Exploit feature in OSA is implemented via a separate kernel mode driver - meaning that it would need a technique of its own to bypass. I'm however willing to keep also Windows 10 built-in MS Office ASR rules (that are easy to configure via H_C / ConfigureDefender) active, although there are already documented ways to bypass at least some of them.
 
  • Like
Reactions: harlan4096, Andy Ful, shmu26 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Marana said:
Yeah, that's what I'd expect. I have been running SSRP for years and configured WD via GPO, but it seems to me now that H_C might have become a more preferable solution that could replace them both.

One reason I'm interested in running both OSA and H_C is that AFAIK the MS Office Anti-Exploit feature in OSA is implemented via a separate kernel mode driver - meaning that it would need a technique of its own to bypass. I'm however willing to keep also Windows 10 built-in MS Office ASR rules (that are easy to configure via H_C / ConfigureDefender) active, although there are already documented ways to bypass at least some of them.
Click to expand...
You will probably never see the malware trying to exploit MS Office or SRP policies (tweaked by H_C). So, using the OSA option to protect MS Office is unnecessary. Furthermore, WD ASR rules are probably more comprehensive and harder to bypass.
In theory, OSA advanced settings can save you if the exploit could achieve privilege escalation. But, such exploits are quickly patched by M$.
In the real world, you will get nothing from using H_C (default-deny) and OSA together, except a headache. After some time you will skip one of them for sure. If you like restricted default-allow (like most users), then keep OSA. Otherwise, keep H_C.(y)
 
  • Like
  • +Reputation
Reactions: simmerskool, oldschool, Gandalf_The_Grey and 2 others
Marana

Marana

Level 1
Verified
Jan 21, 2018
48
Andy Ful said:
You will probably never see the malware trying to exploit MS Office or SRP policies (tweaked by H_C). So, using the OSA option to protect MS Office is unnecessary. Furthermore, WD ASR rules are probably more comprehensive and harder to bypass.
In theory, OSA advanced settings can save you if the exploit could achieve privilege escalation. But, such exploits are quickly patched by M$.
In the real world, you will get nothing from using H_C (default-deny) and OSA together, except a headache. After some time you will skip one of them for sure. If you like restricted default-allow (like most users), then keep OSA. Otherwise, keep H_C.(y)
Click to expand...
Thank you for your explanation. Since I have been using default-deny SRP for years, I cannot imagine living without it in the future, either. I guess that I'll keep OSA, too; at least till the first headache... :giggle:

I was a bit surprised of your mentioning that WD ASR rules would probably be harder to bypass than OSA Anti-Exploit, although I must confess that I have not checked if the vulnerabilities presented in February's OffensiveCon have already been fixed (Emeric's presentation can be found here).
 
  • Like
Reactions: Andy Ful, shmu26 and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Marana said:
...
I was a bit surprised of your mentioning that WD ASR rules would probably be harder to bypass than OSA Anti-Exploit, although I must confess that I have not checked if the vulnerabilities presented in February's OffensiveCon have already been fixed (Emeric's presentation can be found here).
...
Click to expand...
They probably were not, because they are not vulnerabilities. ASR rules prevent techniques seen in the wild. If something new and prevalent will show up, then MS simply add more rules. Microsoft applied the anti-malware tactics which makes exploiting Windows security not profitable for malc0ders. It is more practical than trying to invent the bullet-proof security.
If you read the security reports, then it is evident that the malc0ders prefer social engineering methods, which are more profitable.
Bypassing ASR rules and exploiting AV modules is possible, but it is profitable only for the spying agencies, targetted attacks on big Enterprises, etc. For the home user, they are as dangerous as the meteor hitting Mars.

Edit.
From the fact that for most people using H_C + OSArmor is a bad idea, it does not follow that in your personal case it can be a good idea. I heard about some people who were happy with two wives (both alive).:giggle:
 
Last edited:
  • Like
  • HaHa
Reactions: Gandalf_The_Grey, harlan4096, shmu26 and 2 others
Marana

Marana

Level 1
Verified
Jan 21, 2018
48
Andy Ful said:
- -
Edit.
From the fact that for most people using H_C + OSArmor is a bad idea, it does not follow that in your personal case it can be a good idea. I heard about some people who were happy with two wives (both alive).:giggle:
Click to expand...
:D... Well, actually the main reason for me to keep OSA (along with H_C and WD ASR) is the granularity it provides via Exclusion rules to allow controlled execution of selected PowerShell scripts, as well as to control what processes e.g. explorer.exe and mshta.exe are allowed to launch.

I find the Exclusions.db syntax both powerful and versatile, and I especially appreciate the possibility to use regular expressions within the rules! (y)
 
  • Like
Reactions: simmerskool, oldschool, Andy Ful and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,497
Marana said:
...
I find the Exclusions.db syntax both powerful and versatile, and I especially appreciate the possibility to use regular expressions within the rules! (y)
Click to expand...
Yes, it is a nice tool if you cannot block/restrict something by H_C. Did you see it working when using H_C in default-deny setup?

Edit.
Nobody can deny that the life ring (OSA) is a great thing on the boat (AV). But, is it really necessary on the boat in the desert (AV + H_C)? You will probably never see it working (the Noah case can be an exception). :giggle:
 
Last edited:
  • Like
Reactions: simmerskool, oldschool, harlan4096 and 1 other person

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,435
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,130
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top