Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Whitelisting the start menu folder for that fixed it for me. All good now.

So - Running H_C Recommended Settings and ConfigureDefender as High the best settings to have? I should really get around to reading the manual about FirewallHardening though I expect what I'm using now will probably suffice.

Erz

The shortcut is located too deep in the Start Menu, so it is blocked.
The folder C:\ProgramData\Microsoft\Windows\Start Menu (and its subfolders, too) is not writable for standard processes, so it can be whitelisted.

You could also make it work without whitelisting by moving the shortcut:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA\BioWare\Star Wars - The Old Republic\Star Wars - The Old Republic.lnk
to:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA\BioWare\Star Wars - The Old Republic.lnk

No I mean if you use H_C at the recommended settings do you still need Firewall Hardening?

FirewallHardening tool is a kind of post-exploit hardening. It is not needed on Windows 10 with standard system/software updates. Anyway, using <Recommended H_C> outbound firewall block-rules usually do not hurt, so they can be used with H_C Recommended Settings.

 

[ErzCrz]

The shortcut is located too deep in the Start Menu, so it is blocked.
The folder C:\ProgramData\Microsoft\Windows\Start Menu (and its subfolders, too) is not writable for standard processes, so it can be whitelisted.

You could also make it work without whitelisting by moving the shortcut:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA\BioWare\Star Wars - The Old Republic\Star Wars - The Old Republic.lnk
to:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA\BioWare\Star Wars - The Old Republic.lnk


FirewallHardening tool is a kind of post-exploit hardening. It is not needed on Windows 10 with standard system/software updates. Anyway, using <Recommended H_C> outbound firewall block-rules usually do not hurt, so they can be used with H_C Recommended Settings.

Thanks Andy

When I tried to add the link itself I got the "Folder already whitelisted notice" so I just whitelisted the start menu Star Wars - The Old Republic folder which sorted it.

Thanks for the clarification on the Firewall Hardening. Good to know it's not needed though I've added the defaults to mine with no issue so far.




Eric

 

[Andy Ful]

Thanks Andy

When I tried to add the link itself I got the "Folder already whitelisted notice" so I just whitelisted the start menu Star Wars - The Old Republic folder which sorted it.

Thanks for the clarification on the Firewall Hardening. Good to know it's not needed though I've added the defaults to mine with no issue so far.

View attachment 226172 View attachment 226171


Eric

You can delete the second whitelisted entry, because the folder "C:\Program Files (x86)" and all its subfolders are whitelisted in H_C by default.

 

[ErzCrz]

You can delete the second whitelisted entry, because the folder "C:\Program Files (x86)" and all its subfolders are whitelisted in H_C by default.

Okay, will do. Thanks again

 

[shmu26]

Haha, I know what you're talking about. This malware is still pretty common here. Here every pc user know it as "Shortcut virus" and people are very scared about it.

What's the recommended protection against the "shortcut virus" and other common flash drive malware?

 

[Andy Ful]

What's the recommended protection against the "shortcut virus" and other common flash drive malware?

Blocking shortcuts. Shortcuts are commonly used in Windows only in some locations (Start Menu, Desktop, etc.), but not from flash (USB) drives, Temp folder, or Download folder for sure.
The shortcut malwares are used for years and become more sophisticated. The shortcut can point to the folder, file, or system location.

How Attackers are Using LNK Files to Download Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.

blog.trendmicro.com

Shortcut Modification, Technique T1023 - Enterprise | MITRE ATT&CK®

attack.mitre.org

Malc0ders also found out how to hide the malware code in the shortcut itself, so there is no need to download the payload. The shortcut can execute command lines with LOLBins (usually PowerShell) to retrieve & run the payload (usually DLL) which is hidden somewhere in this shortcut. This can be done also filelessly.

Dissecting Cozy Bear’s malicious LNK file – Cyber Forensicator

cyberforensicator.com

Deep Dive: A LNK in the Chain

The Huntress ThreatOps team sees all sorts of clever tricks attackers use to launch PowerShell.

blog.huntresslabs.com

 

[shmu26]

Blocking shortcuts. Shortcuts are commonly used in Windows only in some locations (Start Menu, Desktop, etc.), but not from flash (USB) drives, Temp folder, or Download folder for sure.
The shortcut malwares are used for years and become more sophisticated. The shortcut can point to the folder, file, or system location.

How Attackers are Using LNK Files to Download Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.

blog.trendmicro.com

Shortcut Modification, Technique T1023 - Enterprise | MITRE ATT&CK®

attack.mitre.org

Malc0ders also found out how to hide the malware code in the shortcut itself, so there is no need to download the payload. The shortcut can execute command lines with LOLBins (usually PowerShell) to retrieve & run the payload (usually DLL) which is hidden somewhere in this shortcut. This can be done also filelessly.

Dissecting Cozy Bear’s malicious LNK file – Cyber Forensicator

cyberforensicator.com

Deep Dive: A LNK in the Chain

The Huntress ThreatOps team sees all sorts of clever tricks attackers use to launch PowerShell.

blog.huntresslabs.com

So H_C at recommended settings should block shortcuts on a removable drive? Where do I look to make sure that H_C is properly configured for this protection?

 

[Andy Ful]

So H_C at recommended settings should block shortcuts on a removable drive? Where do I look to make sure that H_C is properly configured for this protection?

H_C in any predefined profile (except All_OFF) blocks shortcuts in UserSpace (also for USB drives), except some whitelisted locations on hard disk like Desktop, Start Menu, etc.
Shortcuts are blocked when SRP is set properly:

1. <(Re)Install SRP> = Installed
2. LNK extension is on <Designated File Types>
3. <Default Security Level> = Disallowed
4. <Enforcement> = Skip Dlls (also All Files)
5. <More SRP ...> <Protect Shortcuts> = ON

People who do not like default-deny setup can use the predefined profile: Windows_10_MT_Windows_Security_hardening
which works similarly to SysHardener settings, but additionally block shortcuts, more file extensions, and some dangerous sponsors (mshta.exe, mstsc.exe, wmic.exe).
If the user needs to run unsigned applications with elevation or install/update unsigned applications, then the option <Validate Admin C.S.> must be set to OFF.

You may be sure that shortcuts are blocked by creating a shortcut on USB drive (or anywhere in the UserSpace) and trying to run it.

 

[shmu26]

H_C in any predefined profile (except All_OFF) blocks shortcuts in UserSpace (also for USB drives)

That's what I thought! I am still trying to understand the malware incident on my wife's lappy a while back.
H_C is set to disallowed, I see LNK in the file types, yet Comodo Firewall still blocked a couple malicious exe files, from a flash drive that was infected with the shortcut virus.
H_C was set to allow EXE and TMP. But the blocks happened when clicking on the shortcuts in the flash drive.

 

[Andy Ful]

That's what I thought! I am still trying to understand the malware incident on my wife's lappy a while back.
H_C is set to disallowed, I see LNK in the file types, yet Comodo Firewall still blocked a couple malicious exe files, from a flash drive that was infected with the shortcut virus.
H_C was set to allow EXE and TMP. But the blocks happened when clicking on the shortcuts in the flash drive.

What Windows version was installed on your wife's laptop and how long ago this happened?

 

[shmu26]

What Windows version was installed on your wife's laptop and how long ago this happened?

Windows 10 1803. It happened about a week ago.

 

[Andy Ful]

Windows 10 1803. It happened about a week ago.

What was the exact security setup? H_C + Comodo + ...?
Was the laptop infected or the malware files were contained?

 

[shmu26]

What was the exact security setup? H_C + Comodo + ...?
Was the laptop infected or the malware files were contained?

H_C + Comodo Firewall@CS + WD. The malware files were contained.

 

[Andy Ful]

H_C + Comodo Firewall@CS + WD. The malware files were contained.

I asked because a few years ago there was vulnerability related to Windows Explorer's management of shortcut icons. So, the shortcut code could be manipulated to run malicious DLL, when Explorer displayed shortcut icons, without user intervention. This vulnerability was patched a few years ago.

You can easily check if H_C blocks properly shortcuts by copying any working shortcut from Desktop to USB drive and trying to run it. It should run from Desktop but should be blocked on USB drive.

This protection can be bypassed by the user when EXE files are allowed in H_C, by copying the malicious shortcut from USB drive to Desktop. On the Desktop, shortcuts are whitelisted so the command line will be executed. Next, SRP will check that EXE files are not blocked and finally the EXE file will be allowed to run.

 

[shmu26]

I asked because a few years ago there was vulnerability related to Windows Explorer's management of shortcut icons. So, the shortcut code could be manipulated to run malicious DLL, when Explorer displayed shortcut icons, without user intervention. This vulnerability was patched a few years ago.

You can easily check if H_C blocks properly shortcuts by copying any working shortcut from Desktop to USB drive and trying to run it. It should run from Desktop but should be blocked on USB drive.

This protection can be bypassed by the user when EXE files are allowed in H_C, by copying the malicious shortcut from USB drive to Desktop. On the Desktop, shortcuts are whitelisted so the command line will be executed. Next, SRP will check that EXE files are not blocked and finally the EXE file will be allowed to run.

Can a .bat or .cmd file be disguised to look like a shortcut? If I remember right, Windows command prompt showed on the screen for a split second, so maybe it was not a true LNK file.

 

[Andy Ful]

Can a .bat or .cmd file be disguised to look like a shortcut? If I remember right, Windows command prompt showed on the screen for a split second, so maybe it was not a true LNK file.

BAT and CMD files are also blocked in UserSpace by H_C settings in any predefined profile.
There are three scenarios possible:

1. Non-default autorun setting.
   It should be:
   HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Value: NoDriveTypeAutoRun = 0x00000091
2. Another kind of Windows shortcut or malicious file with an extension that is not on Designated File Types list. H_C blocks by default LNK and SETTINGCONTENT-MS shortcuts, which were used in the wild. Other types of shortcuts and many other file extensions are blocked in Paranoid setting, for example, APPREF-MS or LIBRARY-MS.
3. H_C protection was accidentally switched OFF (happened to me a few times).
4. Overlapping protection - both Comodo and SRP are able to block something, but Comodo does this first.

 

[cryogent]

Hi,
i have some questions regardings use of H_C in this case scenario:
I the next few days i want to create a new local account just for my daughter.
This account i want to not have access to my RAID 1 hdd so i will restrict this through mmc.exe Snap-in.
Is necesary to install H_C in this new account if allready have installed on Admin account or once is installed is spreaded on all accounts that will be created?
This restriction made from mmc for new account will interferes with H_C settings?
If in a worst case scenario on that account that my daughter use it and a ransomware get in, the RAID 1 and another HDD that will be hidden/restricted to this account will be compromised? - i know it's not related with H_C but i just ask ..maybe somebody know..
I don't know if i was precise in explanations or if this is the right thread to ask.....

 

[Andy Ful]

Hi,
i have some questions regardings use of H_C in this case scenario:
I the next few days i want to create a new local account just for my daughter.
This account i want to not have access to my RAID 1 hdd so i will restrict this through mmc.exe Snap-in.
Is necesary to install H_C in this new account if allready have installed on Admin account or once is installed is spreaded on all accounts that will be created?
This restriction made from mmc for new account will interferes with H_C settings?
If in a worst case scenario on that account that my daughter use it and a ransomware get in, the RAID 1 and another HDD that will be hidden/restricted to this account will be compromised?
I don't know if i was precise in explanations or if this is the right thread to ask.....

Hard_Configurator is installed for all users and H_C settings are system-wide (valid for all user accounts), except user whitelisted entries and user restrictions made via SwitchDefaultDeny by using its Documents Anti-Exploit option. If you are using RAID then you have to check if <MORE ...> <Disable SMB> setting does not interfere with RAID functionality. The restrictions made for RAID should not interfere with H_C settings.
If you will apply the H_C Recommended Settings on Windows 10 and use Standard User Account as your daughter's account (without knowing your admin password), then this will be OK.
You can also use <More ...> <Disable Elevation on SUA> = ON setting to prevent elevation of user processes on any Standard User Account, but this will cause more work for you to manage the daughter's account (software installations and updates).

Protecting children's account is important. If the malware would infect your daughter's account and could get admin rights, then it could also infect all accounts and all drives connected to the computer. Ransomware files are created to do so.

 

[cryogent]

Good to know. Thank you.

 

[Andy Ful]

I did not want to bloat the discussion on another thread so I put my comments here to clarify some statements.

The way to bypass Windows default-deny is an application or kernel exploit that gains shell or system. Once that happens, Windows default-deny will allow just about everything to run, despite it being disabled via H_C.

That is true especially for kernel exploits (both for home users and Enterprises).
The situation is more complicated with software exploits in the home environment. Most of the software exploits in the home environment will run with standard rights (medium integrity level). Such exploits cannot bypass what was blocked by H_C settings without bypassing UAC. Normally, UAC can be bypassed on Admin account without much effort, but not with H_C settings.
Furthermore, most exploits in the wild are introduced via scripts, MS Office and Adobe Reader documents, which can be blocked by H_C settings.

The only way that default-deny really works is a very thorough system lock down. That means no disabled processes or security policies can be run or changed even with Administrator rights.

H_C default-deny settings can apply a thorough system lockdown only in the home environment. This lockdown is in practice (in the home environment) more restrictive than the lockdown that could be introduced safely via Applocker or WD Application Control (without using SRP). It follows from the fact, that some processes can be safely blocked only when running with standard rights.
This does not work so well in Enterprises, because of the malware attacks with admin rights from the local network. In H_C, the SRP protection is applied by design on the medium integrity level, so it could be bypassed by such attacks.

Making money with malware is a numbers game. Targeting default-deny systems will yield essentially $0. So no one but an extremely determined adversary with very specific intent and goals will put forth the effort to find ways around default-deny - more along the lines of nation-state stuff as opposed to cracking a default-deny that will yield them millions. And even then, whatever the solution, it will be just a speed bump. It is debatable, but it is just a matter of time before they find a way around the protections. The other side of that coin is that they will spend enough time probing and developing a break-in, that it greatly increases the risk that they will be detected.

Just like in the story about fox, hedgehog, and chickens.