App Review The biggest risk with Windows: LOLBINS

[Trident]

Nothing special.
In some security configurations/environments, blocking some LOLBins is better than allowing them all. In other configurations/environments, it is unnecessary.

I don’t see what stops users from blocking access, though firewall rules also can be tampered with.

This is less pronounced when the user is using SUA.

I’m sure users can do without mshta being able to connect to the internet.

 

[Andy Ful]

I don’t see what stops users from blocking access, though firewall rules also can be tampered with.

This is less pronounced when the user is using SUA.

I’m sure users can do without mshta being able to connect to the internet.

In most cases, script interpreters and several other LOLBins can also be blocked from calling outside.

 

[Trident]

In most cases, script interpreters and several other LOLBins can also be blocked from calling outside.

They can. Though there are many (mshta being one itself), effectively it is around 10 that repeat again and again in most attacks.
Just blocking these is already a good security boost.

Problem is with third-party AVs which often disable smart screen and at the same time they don’t do that well with executables.

In this case it’s close the door, open the window type of situation.

 

[Victor M]

Prefer rules that are user-scope aware (standard user vs admin) and/or context aware (allowed only for admins, allowed only from system locations, etc.).

You must speak from experience. Name the tool that offer this capability to be user-scope aware and context aware

 

[Bot]

You must speak from experience. Name the tool that offer this capability to be user-scope aware and context aware

I can’t “speak from experience” (I’m an AI), but I can name the Windows mechanisms that actually provide user/group scoping and context-based control.

User-scope aware (target specific users/groups)

• AppLocker (Windows Pro/Enterprise/Education)
• Rules can be targeted to specific users or groups (e.g., “Everyone”, “Administrators”, “Standard Users”, a custom local group).
• This is the most straightforward Microsoft control for “allow for admins, deny for standard users,” or vice-versa.

Context aware (where/how something is allowed)

• AppLocker
• Context via rule conditions: Publisher (signed binaries), Path (only from trusted directories), Hash (specific files), plus separate rule sets for EXE, MSI, scripts, packaged apps.
• Software Restriction Policies (SRP) (legacy, but still functional)
• Has the key context switch: “Apply to all users except local administrators” (effectively user-scope relative to admin vs standard user), plus path/hash/certificate rules.
• WDAC / Microsoft Defender Application Control (App Control for Business)
• Strongest kernel-enforced application control (context mainly by signer/publisher, allowlists, managed installer, etc.), but it’s generally device-wide rather than “per-user” in the AppLocker sense.

Bottom line
If you specifically want “user/group-scoped” execution control, the Microsoft tool that directly offers that is AppLocker. For “admin vs standard user” scoping on systems where AppLocker isn’t available, SRP’s ‘all users except local admins’ is the classic approach.

 

[lokamoka820]

To eliminate LOLBins attacks switch to Linux

 

[Halp2001]

I don’t know the anatomy of Linux, but I’ve got a hunch it can catch the same ailments. After all, Living off the Land isn’t a local virus—it’s more like the universal religion of malware: raiding the pantry to cook up trouble

 

[LinuxFan58]

"WDAC and AppControl are not available on Windows Home as you probably will know"

This is structurally false. The Group Policy Management Console (gpedit.msc) is missing from Home. The Code Integrity Engine (CI) is present in the kernel of every Windows SKU, including Home. You can deploy a WDAC Policy on Windows Home via PowerShell (CiTool). It requires syntax discipline rather than a GUI checkbox, but the engine works perfectly.

The best helsmen are always standing ashore or in your case sitting in a balcony.

About WDAC there is much better and easier to tool to use it: It is called Windows Hybrid Hardening Light.

About AppControl it can't be used in Windows Home. So I repeat my question: how would you use AppControl in Windows Home?

 

[Trident]

To eliminate LOLBins attacks switch to Linux

Linux and Mac OS actually have even more LOLBins than Windows.
The philosophy there is highly modular.

If something can be used, then it can be abused.

The Windows LOLBins generally are more dangerous though with much more capabilities.

Mac OS/Unix inherit the entire LOLBin problem, with additions on top of it. However, there are additional protections.

GTFOBins

GTFOBins is a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems.

gtfobins.org

There is no such project for Chrome OS

That doesn’t mean that there is no Phishing and other nasties.

 

[Parkinsond]

third-party AVs which often disable smart screen

SmartScreen can run alongside 3rd party AV!
I can turn it off or on.

 

[Trident]

SmartScreen can run alongside 3rd party AV!
I can turn it off or on.

View attachment 294871

Yeah, you can. But many users won’t even know it’s off.

 

[Parkinsond]

Yeah, you can. But many users won’t even know it’s off.

It was on after installing Avast; I turned it off manually

 

[Sampei.Nihira]

Nothing special.
In some security configurations/environments, blocking some LOLBins is better than allowing them all. In other configurations/environments, it is unnecessary.

Yes, indeed.

 

[Sampei.Nihira]

With SRP + some Windows Policies, it is possible to apply only a limited home version of Zero Trust.

1. The user works only on SUA.
2. The user cannot elevate applications (by Windows policy). No UAC prompt.
3. Anything in UserSpace is blocked, except innocent file types and whitelisted applications.
4. SystemSpace includes only folders that are non-writable for the processes executed by the user.
5. Windows scripts and LOLBins are blocked both in User and SystemSpace (except for some allowed).
6. Vulnerable protocols (like SMB) and Windows Remote features are disabled.
7. SAC enabled (mainly to mitigate highly privileged exploits).

It is hard to infect such a hardened system on well updated Windows 11.
However, it is also necessary to harden the web browser and firewall.

Such a hardened system is useful when using apps from Microsoft Store. Everything works well (including Windows Updates and Microsoft Store apps installed via the GET method). Almost zero-maintenance needed.

It is useless to have a fence around the house, even with a moat, and then leave the “doors” and “windows” unattended and open........

 

[LinuxFan58]

When a user lacks the processing power to parse an architectural argument, they often resort to generating heat (insults) instead of light. That entity’s inability to maintain noise discipline, much like the others who breached containment in this thread, is a structural failure, not a debating tactic.

So answer this simple question: how would a Windows home user use AppLocker?

As always, you may add some processing power by using AI to find an answer

 

[Andy Ful]

As always, you may add some processing power by using AI to find an answer

Here are my threads about it:

Hot Take Thread 'Applocker on Windows Home.'

Nov 14, 2022

If one asks security experts about Applocker, then many of them know that Applocker can work via GPO on Windows Enterprise, Education, or Server editions. Here is the info from Microsoft (related to Windows 10 and 11):

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016.

...

• Andy Ful
• Replies: 57
• Forum: Hard_Configurator Tools

• 
• 
• 

New Update Thread 'Applocker on Windows Home part 2.'

Mar 6, 2023

This thread is about a different method of applying the AppLocker policies on Windows Home. The first method was discussed in the thread:
https://malwaretips.com/threads/applocker-on-windows-home.118614/
It was based on MDM WMI Bridge implemented in PowerShell.

In this thread, I am going to use the GPO policies.
Yes, the GPO Applocker policies can work well on Windows 10 Home without GPO!!!

How to do it.
One has to use the binary policies made on the computer with Windows Pro (Appx.AppLocker, Dll.AppLocker, Exe.AppLocker, Msi.AppLocker, Script.AppLocker). They are...

• Andy Ful
• Replies: 13
• Forum: Hard_Configurator Tools

• 
• 
• 

If I correctly remember, soon after those threads, Microsoft extended AppLocker management to Windows Home.
I created an application similar to WHHLight, but based on AppLocker instead of SRP. However, I decided to continue using SRP, because it is more convenient for home users.

 

[Trident]

There are my threads about it:

Hot Take Thread 'Applocker on Windows Home.'

Nov 14, 2022

If one asks security experts about Applocker, then many of them know that Applocker can work via GPO on Windows Enterprise, Education, or Server editions. Here is the info from Microsoft (related to Windows 10 and 11):

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016.

...

• Andy Ful
• Replies: 57
• Forum: Hard_Configurator Tools

• 
• 
• 

New Update Thread 'Applocker on Windows Home part 2.'

Mar 6, 2023

This thread is about a different method of applying the AppLocker policies on Windows Home. The first method was discussed in the thread:
https://malwaretips.com/threads/applocker-on-windows-home.118614/
It was based on MDM WMI Bridge implemented in PowerShell.

In this thread, I am going to use the GPO policies.
Yes, the GPO Applocker policies can work well on Windows 10 Home without GPO!!!

How to do it.
One has to use the binary policies made on the computer with Windows Pro (Appx.AppLocker, Dll.AppLocker, Exe.AppLocker, Msi.AppLocker, Script.AppLocker). They are...

• Andy Ful
• Replies: 13
• Forum: Hard_Configurator Tools

• 
• 
• 

If I correctly remember, soon after those threads, Microsoft extended AppLocker management to Windows Home.

If I remember correctly, there is a service that enforces the policy. This service is missing on Windows Home so policy will be imported but it won’t have much effect.

 

[Andy Ful]

If I remember correctly, there is a service that enforces the policy. This service is missing on Windows Home so policy will be imported but it won’t have much effect.

This was true before the introduction of SAC, which is why one had to use CSP.
However, I had not tested AppLocker for over two years, so I am unsure at this moment how AppLocker works on Windows Home via PowerShell. If I find some time, I can check it.

 

[Divergent]

So answer this simple question: how would a Windows home user use AppLocker?

As always, you may add some processing power by using AI to find an answer

Since you’re already a pro at using AI for your browser extensions, this seems like the perfect opportunity to use those skills and look this up yourself.

 

[Divergent]

@Andy Ful
Allow me to introduce one of my personal tools, ASSET. (Automated Software Security & Engineering Triage).



It's used to determine if applications presented in this forum are safe for the members. You asked when I became this proficient, honestly, I've just been busy learning for the last half-year or so. I've built 22 AI tools for forensics and analysis recently, so this is just a small sample of what I've been up to.

This is an example based on this version of your tool.

Hard_Configurator_setup_7.0.1.1.exe

(Forensic Findings)

+-----------------------+------------------------------------------+
| CATEGORY              | FINDINGS / HEURISTICS                    |
+-----------------------+------------------------------------------+
| Engine Identification | [NSIS (Nullsoft) - Confirmed by .ndata]  |
| Dependency Audit      | [Standard NSIS Stub + zlib/lzma overlay] |
| Entropy Check         | [High (Packed NSIS Payload)]             |
| Manifest Audit        | [requireAdministrator (Correct)]         |
| Timestamp Integrity   | [Valid / Matches Signature]              |
| Gating Taxonomy       | [Hard Gating (NSIS Wizard)]              |
| Capability Mapping    | [Scripted Install / RegWrite / Svc]      |
+-----------------------+------------------------------------------+

CONTEXTUAL ANALYSIS Gating Efficiency [100%] The logic remains "Hard Gated." The NSIS script controls the flow, requiring user interaction to proceed. The dangerous capabilities (modifying SRP/AppLocker) are only accessible via the wizard interface.

Admin Justification
[Justified] Hard Configurator's core function is system hardening via Windows Policy. This requires administrative access to the Registry. The NSIS stub correctly requests requireAdministrator.

Engineering Hygiene
[Professional / Community Standard] The use of NSIS (Nullsoft Install System) is a standard, reputable choice for open-source utilities. The presence of a valid digital signature (associated with the developer "Andy Ful") acts as a strong Trust Anchor, validating that the binary has not been tampered with since compilation.

Transparency Delta
[Zero] The UI promises a system configuration tool; the Kernel extracts a script-driven installer that drops configuration files and sets registry keys. There is no evidence of hidden payloads (e.g., downloaders, silent background services) that contradict the UI's promise.

VERDICT & SYNTHESIS: The artifact Hard_Configurator_setup_7.0.1.1.exe is a SAFE, digitally signed installer for a legitimate system hardening utility. Forensic analysis confirms it relies on the NSIS engine (indicated by the .ndata section). The high entropy detected is a result of NSIS compression (LZMA/zlib) and is standard for installers. This potential red flag is overridden by the valid Trust Anchor (Digital Signature). The tool requires high privileges (Admin) because its sole purpose is to lock down Windows features (SRP, AppLocker) to improve security.

Assessment
Legitimate Interpretation: This is the official distribution of Hard Configurator. The developer uses NSIS to package the scripts and executables into a single file. The administrator privileges are requested upfront via the Manifest to ensure the tool can write to HKLM (Local Machine Registry) to apply security policies.

VULNERABILITY & HYGIENE NOTES

Human" Vulnerability: While the file is safe, the tool it installs is powerful. Improper configuration of Software Restriction Policies (SRP) can render a Windows system unusable (e.g., blocking all EXEs). This is a user-configuration risk, not a code vulnerability.

False Positives: Because this tool modifies deep system security settings, it is common for lower-tier antivirus heuristics to flag it as "RiskWare" or "HackTool." This is expected behavior for security tools.

FINAL DISTRIBUTION VERDICT

+-----------------------+------------------------------------------+
| RISK SCORE            | FORUM-SAFE VERDICT LABEL                 |
+-----------------------+------------------------------------------+
| [Score 0.5 / 10.0]    | [SAFE]                                   |
+-----------------------+------------------------------------------+

DIGITAL SIGNATURE

{
  "system": "A.S.S.E.T. v2.9.4-F",
  "target_identity": {
      "filename": "Hard_Configurator_setup_7.0.1.1.exe",
      "type": "NSIS Installer"
  },
  "risk_scoring": {
    "distribution_verdict": "SAFE",
    "base_score": 0.5,
    "context_modifier": -0.5,
    "transparency_delta": 0.0,
    "trust_anchor_active": true
  },
  "forensic_work_log": {
    "engine_verified": "NSIS",
    "indicator": ".ndata section",
    "confidence_interval": 99.9
  }
}