Status
Not open for further replies.
Latest changes
Dec 26, 2019
Operating system
Not listed
System type
32-bit operating system; x86-based processor
Update and Security
No security updates
User Access Control
Notify me only when programs try to make changes to my computer
Firewall and Network protection
Microsoft Defender Firewall is active
User permissions
Administrator account
User account
Local account only
Sign-in options
  • Account Password
  • Malware exposure
    No malware samples are downloaded
    Real-time Malware protection
    • Windows Firewall
    • Firewall Hardware on router
    • 1° AdGuard DNS / 2° CloudFlare DNS
    • MBAE Premium - Custom Setting
    • OSA - Custom Setting
    • Black Viper's List - Some services Disabled/Manual
    Modified security settings
    • Trick POS Ready 2009 + KB4500331.
    • PsExec - Run browsers + email client with limited rights - Exceptions (OSA) for Interlink Mail News and New Moon.
    • DEP Always ON
    • SMB Protocol Disabled
    • No NET Framework Installed
    • I.E.8 No Flash + Trick 1803 (Block the downloadable executable files) + Disable script (F12 - on/off) + block execution I.E.8.
    Periodic scanners
    Hitman Pro,McAfee Stinger,HijackThis Portable,Adwcleaner v.6.0.4.7
    Browser and Extensions
    New Moon 28 - (Pale Moon fork for Windows XP) Custom Setting about:config

    • Noscript
    • U.B.O.Legacy
    • Decentraleyes
    • No Resource URI Leak
    • Canvas Blocker Legacy 0.2 - Only to pass the ClientRects Fingerprint test
    Privacy tools and VPN
    • 1° AdGuard DNS / 2° CloudFlare DNS
    • W.M.P. off
    • O.E. off
    • New Moon Home page = DuckDuckGO - Custom settings saved via URL no cookies
    Password manager
    My Memory
    Search engine
    DuckDuckGo
    Maintenance tools
    • CCleaner - Many custom rules created by me
    • RegSekeer
    • Process Explorer
    • SigcheckGUI
    • Dependency Walker
    • CFF Explorer
    • Currports
    • WWDC
    • IobitUnistaller Portable
    • Speedyfox -Custom Rule for Interlink Mail News
    • SUMo Portable
    • JKDefragGUI
    Photos and Documents backup
    Pen Drive
    Data Backup Schedule
    Once or multiple times per month
    Backup and Restore
    Acer System Backup
    Backup Schedule
    Once or more per year
    Computer Activity
  • Online banking
  • Browsing the web and checking emails
  • Office and other work-related software (Work from Home)
  • Learning computer languages or creating apps
  • Computer Specifications
    Acer Intel Celeron M380 1.60 GHz 1GB RAM
    Your changelog
    1. Added some custom rules in OSA for Mimikatz Dump Lsass.exe mitigation.
    2. Added "sc" command rule block in OSA.
    3. Added rule to block execution of I.E.8 in OSA.
    4. Added rule to block msbuild.exe in OSA and the same rule on the Registry Key.
    5. Blocking rule in host file for CCleaner.
    Staff notes

    This setup configuration may put your device at risk .
    We don't recommend that other members use this security setup. We cannot be held responsible for problems that may occur to your device by using this security setup.

    This computer configuration is using an unsupported operating system. If possible, we recommend to upgrade to an operating system that is supported by its developers.

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Yes, but I would like to broaden the discussion since Umbra mentioned it.
    OK.
    Final conclusion.
    In my PC, even in case of compromise of the OS (absurd hypothesis) Mimikatz could not act.
    Your final conclusion is wrong, because it is based on unsupported assumptions.
    1. MBAE + OSA can be a good replacement for Windows Updates.
    2. OSA can stop obfuscated command lines and all LOLBins.
    3. OSA can stop all implementations of Mimikatz (it cannot).
    Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

    But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.
     

    Sampei Nihira

    Level 6
    Verified
    OK.

    Your final conclusion is wrong, because it is based on unsupported assumptions.
    1. MBAE + OSA can be a good replacement for Windows Updates.
    2. OSA can stop obfuscated command lines and all LOLBins.
    3. OSA can stop all implementations of Mimikatz (it cannot).
    Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

    But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.
    Absurd.
    Pypykatz does not work on Windows XP.
    For you assumptions..........................
    At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

    But I don't want to mention this episode since it was a private test.

    Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.

    Read this article written by Mrkvonic(Igor Ljubuncic)



    that I remember is an Linux Systems Expert and regularly writes on W.:


    ....For home users, who often happen to be the only user on their own machine, where user-to-admin exploits and local-access exploits are not important, system updates will rarely matter if the users have good network-facing security (router and browsers).....
    although the article does not consider that even a Windows 7 OS can be updated the same after the end of extended support:


    Happy New Year.
     
    Last edited:

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Absurd.
    Pypykatz does not work on Windows XP.
    The new beta can parse XP(32/64) lsass dumps.
    Anyway, that was only an example of using Python to bypass AV and OSA protection.

    For you assumptions..........................
    At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

    But I don't want to mention this episode since it was a private test.
    You know that such a test means nothing.

    Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.
    Why the attacker should do it via Mimikatz? It is not Mimikatz that compromised your system.
    Read this article written by Mrkvonic that I remember is an Linux Systems Expert and regularly writes about W:

    https://www.dedoimedo.com/computers/windows-7-end-of-support-guide.html
    ...
    Happy New Year.
    It is similar to what I posted already:
    https://malwaretips.com/threads/sam...ig-winxp-pos-ready2009-2019.97166/post-850607

    You should also decide which experts you want to listen to - MBAE experts or Mrkvonic, both have very different meaning about Windows Updates and level of security.

    By the way, you should apply the SUA (limited user account) in your setup as it was suggested in my post and in the article (the red color was used by the author):
    "I've talked about this endlessly over the past decade and a half. You can use a standard user account to reduce the risk of accidental damage."

    Happy New Year.
     
    Last edited:
    F

    ForgottenSeer 823865

    Absurd.
    Pypykatz does not work on Windows XP.
    For you assumptions..........................
    Wrong again.

    At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.
    Yeah means nothing, they don't have access to the latest exploits nor create any. And If university were good in security, they won't got hacked all the time by their students. Lol.

    Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.
    You need to do more research about attacking a system. the first thing attackers checks, once your system is compromised is your computer environment, then they adapt their tools to it. They don't use Mimikatz for it, the stager/dropper do the job, usually by placing a remote shell (or via port scanning).
    Serious hacking is all about using attack chain/stages (or not depending the target/situation). If your computer is already compromised, they got all the info they need to deploy Mimikatz and other tools properly ( via obfuscated Download Cradle, etc..).

    Also I will point that attacker don't need to install powershell or python in the victim system. The stager embark them and run them in-memory using various methods (but often via reflective dll injection).

    I want to reiterate the fact that once an attacker manage to get a kernel exploit active on your system it is game over.

    We are here to discuss the absolute, so spare me the "I'm home user, I won't get targeted" or "exploit are rare" argument, those are nothing to do in a security forum. If this is your main point to refute that your system is more vulnerable than a modern OS, so there is nothing to discuss anymore and so you can keep live happily in denial.


    Read this article written by Mrkvonic(Igor Ljubuncic)
    Please, dont point us to him, with all respect to him (because of his informative blog posts, I like to read) he is no expert. It is not because I do monthly reviews of an OS than suddenly i am a Windows and security expert lol.
    I know lot a lot of stuff about security and Windows, I don't consider myself as an expert, far from it...
     
    Last edited by a moderator:

    Sampei Nihira

    Level 6
    Verified
    :LOL::LOL:

    I already knew that article:


    And how would this hypothetical remote attacker install ProcDump on a my Windows XP OS?

    Again by hypothesis, since in a protected OS like mine it would not be possible to start the attack sequence.

    P.S.

    @Andy Ful

    Still always SUA?
    I told you abundantly that in my pc it is sufficient on limited-user privileges applied to browsers and email clients.
    Please try NOT to be repetitive.:sleep::sleep:
    TH.
     
    Last edited:

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Sampei Nihira,

    It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
    I wish you:
    1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
    2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
    3. Let people who use your setup have safe habits and do not perform risky activities.
    Generally, I wish you good luck. Do not mind if some of my posts were waspish.:)(y)
    By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).
     

    Sampei Nihira

    Level 6
    Verified
    Sampei Nihira,

    It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
    I wish you:
    1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
    2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
    3. Let people who use your setup have safe habits and do not perform risky activities.
    Generally, I wish you good luck. Do not mind if some of my posts were waspish.:)(y)
    By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).
    @Andy Ful

    I am not a native English speaker.
    I can write answers that you misinterpret.
    I'm interested in building a speech.

    Right now the thread of the discussion is Pypykatz.
    If you want to change the subject, just say it.;)
    That's fine with me.(y)
    Do not always go back to what you have already written on the previous pages in this 3D.

    I think it would also be interesting for other forum members to block utilities that are potentially harmful to our OS:

    150.JPG
     

    Andy Ful

    Level 59
    Verified
    Trusted
    Content Creator
    Sampei Nihira,

    You know that I wish you well. I am tired a little with this discussion because it seems useless to you. The readers can get enough information from this thread to make a proper decision. I am also busy now, because I have to investigate/test the security consequences of the modified Recommended Settings in the new version of H_C.
    Be safe. (y)
     

    Sampei Nihira

    Level 6
    Verified
    Care to post it?
    But keep in mind that it is suitable for my needs.;)
    My browser doesn't have anti-phishing features like your browsers (unless you've disabled the feature).

    In my opinion you should do anti-phishing tests and check if everything is OK for you or you need some integration.

    I'll insert the link I use:


    Use finished URLs, those without ...
    If you need, I will gladly insert my personalized UBO lists.

    Let me know, OK?(y)
     

    Lenny_Fox

    Level 11
    Mozilla said:
    In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.
    You are still good to go with XP?
     

    Sampei Nihira

    Level 6
    Verified
    You are still good to go with XP?
    1° - The vulnerabilities concern versions of Firefox that cannot be installed in Windows XP.
    2° - If the vulnerabilities should also affect Pale Moon (this is not always the case because the Firefox ESR 52 version is often not subject to the same vulnerabilities):

    ....They are handled primarily by me (Moonchild) personally being in touch with the Mozilla Security team which provides me with access to relevant bugs on bugzilla, but only after Mozilla has deemed it safe to release to non-team members (which is usually a few days to a week after a Firefox release......

    3° - Roytam1 applies, if available, almost immediately, patches to versions of browsers developed for Windows XP, in my case New Moon.
    This is possible because the version of New Moon we use comes from their alpha build.

    4° - Roytam1 usually makes personal changes to the Pale Moon code every week.
    This fact also statistically lowers the chances that a browser with different code is as exploitable as the original Pale Moon - Firefox

    ________________________________________________________________________________________________________________________________________________

    Several years ago we analyzed, with the help of Giorgio Maone, the Firefox bugs that would have been rendered "harmless" by the use of Noscript.

    This estimate resulted in nearly 80%.
    The result was obtained with Noscript with the default settings.

    P.S. And my Noscript setting is not default.;)
     
    Last edited:

    Sampei Nihira

    Level 6
    Verified
    @Lenny_Linux

    Pale Moon was also vulnerable to CVE-2019-17026.
    Roytam1 ported the patch to XP yesterday:


    These changes compared to the previous week in the browser:

    Official UXP changes since my last build:
    - Issue #1338 - Part 1: Update NSPR to 4.24 (f7d301332)
    - Issue #1338 - Part 2: Update NSS to 3.48-RTM (f4a12fc67)
    - Issue #1338 - Part 3: Update NSS symbols (c097dcf7f)
    - Issue #1338 - Part 4: Initialize NSS with desired run-time values. (24f97a168)
    - Issue #1338 - Part 5: Clobber for NSS update (b1694ef0a)
    - Merge pull request #1341 from MoonchildProductions/nss-work (e30d68b69)
    - Issue #1345 - Implement non-standard legacy CSSStyleSheet rules (b4d686d62)
    - Merge pull request #1346 from JustOff/PR_CSSStyleSheet_legacy (c66b70c4d)
    - Reject sample rates that are out-of-range for libsoundtouch. (c03265177)
    - Bug 1322938 - Basic implementation of HTMLDialogElement. (2e3b937f4)
    - Bug 1322938 - Emit close event when HTMLDialogElement.prototype.close() is called. (ef2cd8749)
    - Bug 1322938 - Update <dialog> element Web Platform Tests expected results. (a4011e724)
    - Bug 1322938 - Put <dialog> element behind preference. (b91b0c37e)
    - Bug 1322938 - Make the HTML tree builder aware of <dialog>. (25e85f99c)
    - Bug 1379728 part 1. Remove the double-definition of the 'close' event from EventNameList.h. (52bda2a82)
    - Issue #1348 - Part 1: Clean up input scope support for IMM32. (1672355a7)
    - Issue #1348 - Part 2: Teach IMEState about Private Browsing mode. (8ae047bbb)
    - Issue #1348 - Part 3: Set IS_PRIVATE input scope in private browsing. (d79cc5fb4)
    - Merge pull request #1347 from g4jc/html5_dialog (29bf28ca3)
    - Simplify value setting. (d429ac8a6)
    - Be more consistent about decoding IP addresses in PSM. (8198126c3)
    - Make copy of list before iterating over it. (51b1cd97a)
    - Handle missing base64 challenge in NegotiateAuth and NTLMAuth. (0186023f4)
    - Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux. (936577621)
    - Update GTK clipboard handling (095a02f25)
    - Issue #1338 - Followup: certdb: propagate trust information if trust module is loaded afterwards, (f64e760ab)


    Official Pale-Moon changes since my last build:
    - Issue #1703 - Update UA overrides for Google and YouTube (832effab3)
    - Block Noveau NV96 mesa driver layers acceleration. (b7841e5cf)


    There are no new Official Basilisk changes since my last build.


    My changes since my last build:
    - ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794)

    Thank you very much for asking your question yesterday.(y);)
    So the MT community can verify how it is possible to use XP still today safely.

    Thanks again.:)
     

    Sampei Nihira

    Level 6
    Verified
    @Sampei Nihira May I ask an off-topic question? Where do you find the security updates for XP? Is there a complete list of must-installed patches?
    After the end of extended support (2014) you need to make a change to the registry to use POSREADY updates.
    I insert you 2 3D to get some info on the topic you asked for:


     

    Sampei Nihira

    Level 6
    Verified
    There is an update to 2020 that I had not read in the article, in the final part.
    I put it to your attention:


    Procdump is no longer needed.
    Be careful of rundll32.exe.
    My rule in OSA was already selected:

    300.JPG

    Take your precautions .(y);)
     
    F

    ForgottenSeer 823865

    Interestimg approach, anyway rundll32.exe as abused process is old news.

    Off topic: are you French (coz I am)? Because most of your links are French stuff.
     
    Status
    Not open for further replies.
    Top