Danger Sampei Nihira Security Config WinXP (POS Ready2009) 2020

Status
Not open for further replies.
Last updated
Dec 26, 2019
Windows Edition
Home
Operating system
Other
Log-in security
Security updates
Block all updates
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
  • Windows Firewall
  • Firewall Hardware on router
  • 1° AdGuard DNS / 2° CloudFlare DNS
  • MBAE Premium - Custom Setting
  • OSA - Custom Setting
  • Black Viper's List - Some services Disabled/Manual
Firewall security
Microsoft Defender Firewall
About custom security
  • Trick POS Ready 2009 + KB4500331.
  • PsExec - Run browsers + email client with limited rights - Exceptions (OSA) for Interlink Mail News and New Moon.
  • DEP Always ON
  • SMB Protocol Disabled
  • No NET Framework Installed
  • I.E.8 No Flash + Trick 1803 (Block the downloadable executable files) + Disable script (F12 - on/off) + block execution I.E.8.
Periodic malware scanners
Hitman Pro,McAfee Stinger,HijackThis Portable,Adwcleaner v.6.0.4.7
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
New Moon 28 - (Pale Moon fork for Windows XP) Custom Setting about:config

  • Noscript
  • U.B.O.Legacy
  • Decentraleyes
  • No Resource URI Leak
  • Canvas Blocker Legacy 0.2 - Only to pass the ClientRects Fingerprint test
Maintenance tools
  • CCleaner - Many custom rules created by me
  • RegSekeer
  • Process Explorer
  • SigcheckGUI
  • Dependency Walker
  • CFF Explorer
  • Currports
  • WWDC
  • IobitUnistaller Portable
  • Speedyfox -Custom Rule for Interlink Mail News
  • SUMo Portable
  • JKDefragGUI
File and Photo backup
Pen Drive
System recovery
Acer System Backup
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Working from home
Computer specs
Acer Intel Celeron M380 1.60 GHz 1GB RAM
Notable changes
  1. Added some custom rules in OSA for Mimikatz Dump Lsass.exe mitigation.
  2. Added "sc" command rule block in OSA.
  3. Added rule to block execution of I.E.8 in OSA.
  4. Added rule to block msbuild.exe in OSA and the same rule on the Registry Key.
  5. Blocking rule in host file for CCleaner.
Notes by Staff Team
  1. This setup configuration may put you and your device at risk!
    We do not recommend that other members use this setup. We cannot be held responsible for problems that may occur to your device by using this security setup.

  2. This computer configuration is using an unsupported operating system. If possible, we recommend to upgrade to an operating system that is supported by its developers to remain protected from the latest threats.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Yes, but I would like to broaden the discussion since Umbra mentioned it.
OK.
Final conclusion.
In my PC, even in case of compromise of the OS (absurd hypothesis) Mimikatz could not act.
Your final conclusion is wrong, because it is based on unsupported assumptions.
  1. MBAE + OSA can be a good replacement for Windows Updates.
  2. OSA can stop obfuscated command lines and all LOLBins.
  3. OSA can stop all implementations of Mimikatz (it cannot).
Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
OK.

Your final conclusion is wrong, because it is based on unsupported assumptions.
  1. MBAE + OSA can be a good replacement for Windows Updates.
  2. OSA can stop obfuscated command lines and all LOLBins.
  3. OSA can stop all implementations of Mimikatz (it cannot).
Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.

Absurd.
Pypykatz does not work on Windows XP.
For you assumptions..........................
At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

But I don't want to mention this episode since it was a private test.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.

Read this article written by Mrkvonic(Igor Ljubuncic)



that I remember is an Linux Systems Expert and regularly writes on W.:


....For home users, who often happen to be the only user on their own machine, where user-to-admin exploits and local-access exploits are not important, system updates will rarely matter if the users have good network-facing security (router and browsers).....

although the article does not consider that even a Windows 7 OS can be updated the same after the end of extended support:


Happy New Year.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Absurd.
Pypykatz does not work on Windows XP.
The new beta can parse XP(32/64) lsass dumps.
Anyway, that was only an example of using Python to bypass AV and OSA protection.

For you assumptions..........................
At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

But I don't want to mention this episode since it was a private test.
You know that such a test means nothing.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.
Why the attacker should do it via Mimikatz? It is not Mimikatz that compromised your system.
Read this article written by Mrkvonic that I remember is an Linux Systems Expert and regularly writes about W:

https://www.dedoimedo.com/computers/windows-7-end-of-support-guide.html
...
Happy New Year.
It is similar to what I posted already:
https://malwaretips.com/threads/sam...ig-winxp-pos-ready2009-2019.97166/post-850607

You should also decide which experts you want to listen to - MBAE experts or Mrkvonic, both have very different meaning about Windows Updates and level of security.

By the way, you should apply the SUA (limited user account) in your setup as it was suggested in my post and in the article (the red color was used by the author):
"I've talked about this endlessly over the past decade and a half. You can use a standard user account to reduce the risk of accidental damage."

Happy New Year.
 
Last edited:
F

ForgottenSeer 823865

Absurd.
Pypykatz does not work on Windows XP.
For you assumptions..........................
Wrong again.

At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.
Yeah means nothing, they don't have access to the latest exploits nor create any. And If university were good in security, they won't got hacked all the time by their students. Lol.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.
You need to do more research about attacking a system. the first thing attackers checks, once your system is compromised is your computer environment, then they adapt their tools to it. They don't use Mimikatz for it, the stager/dropper do the job, usually by placing a remote shell (or via port scanning).
Serious hacking is all about using attack chain/stages (or not depending the target/situation). If your computer is already compromised, they got all the info they need to deploy Mimikatz and other tools properly ( via obfuscated Download Cradle, etc..).

Also I will point that attacker don't need to install powershell or python in the victim system. The stager embark them and run them in-memory using various methods (but often via reflective dll injection).

I want to reiterate the fact that once an attacker manage to get a kernel exploit active on your system it is game over.

We are here to discuss the absolute, so spare me the "I'm home user, I won't get targeted" or "exploit are rare" argument, those are nothing to do in a security forum. If this is your main point to refute that your system is more vulnerable than a modern OS, so there is nothing to discuss anymore and so you can keep live happily in denial.


Read this article written by Mrkvonic(Igor Ljubuncic)
Please, dont point us to him, with all respect to him (because of his informative blog posts, I like to read) he is no expert. It is not because I do monthly reviews of an OS than suddenly i am a Windows and security expert lol.
I know lot a lot of stuff about security and Windows, I don't consider myself as an expert, far from it...
 
Last edited by a moderator:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
:LOL::LOL:

I already knew that article:


And how would this hypothetical remote attacker install ProcDump on a my Windows XP OS?

Again by hypothesis, since in a protected OS like mine it would not be possible to start the attack sequence.

P.S.

@Andy Ful

Still always SUA?
I told you abundantly that in my pc it is sufficient on limited-user privileges applied to browsers and email clients.
Please try NOT to be repetitive.:sleep::sleep:
TH.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Sampei Nihira,

It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
I wish you:
  1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
  2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
  3. Let people who use your setup have safe habits and do not perform risky activities.
Generally, I wish you good luck. Do not mind if some of my posts were waspish.:)(y)
By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Sampei Nihira,

It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
I wish you:
  1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
  2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
  3. Let people who use your setup have safe habits and do not perform risky activities.
Generally, I wish you good luck. Do not mind if some of my posts were waspish.:)(y)
By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).

@Andy Ful

I am not a native English speaker.
I can write answers that you misinterpret.
I'm interested in building a speech.

Right now the thread of the discussion is Pypykatz.
If you want to change the subject, just say it.;)
That's fine with me.(y)
Do not always go back to what you have already written on the previous pages in this 3D.

I think it would also be interesting for other forum members to block utilities that are potentially harmful to our OS:

150.JPG
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Sampei Nihira,

You know that I wish you well. I am tired a little with this discussion because it seems useless to you. The readers can get enough information from this thread to make a proper decision. I am also busy now, because I have to investigate/test the security consequences of the modified Recommended Settings in the new version of H_C.
Be safe. (y)
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
I have updated the version of UBO Legacy.
UBO Legacy v.1.16.4.13 available today


I also did my usual weekly anti-phishing test, with today's phishing links, to the browser and DNS.
As usual, the custom list I use with UBO exceeds DNS.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Care to post it?

But keep in mind that it is suitable for my needs.;)
My browser doesn't have anti-phishing features like your browsers (unless you've disabled the feature).

In my opinion you should do anti-phishing tests and check if everything is OK for you or you need some integration.

I'll insert the link I use:


Use finished URLs, those without ...
If you need, I will gladly insert my personalized UBO lists.

Let me know, OK?(y)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Mozilla said:
In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.

You are still good to go with XP?
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
You are still good to go with XP?

1° - The vulnerabilities concern versions of Firefox that cannot be installed in Windows XP.
2° - If the vulnerabilities should also affect Pale Moon (this is not always the case because the Firefox ESR 52 version is often not subject to the same vulnerabilities):

....They are handled primarily by me (Moonchild) personally being in touch with the Mozilla Security team which provides me with access to relevant bugs on bugzilla, but only after Mozilla has deemed it safe to release to non-team members (which is usually a few days to a week after a Firefox release......


3° - Roytam1 applies, if available, almost immediately, patches to versions of browsers developed for Windows XP, in my case New Moon.
This is possible because the version of New Moon we use comes from their alpha build.

4° - Roytam1 usually makes personal changes to the Pale Moon code every week.
This fact also statistically lowers the chances that a browser with different code is as exploitable as the original Pale Moon - Firefox

________________________________________________________________________________________________________________________________________________

Several years ago we analyzed, with the help of Giorgio Maone, the Firefox bugs that would have been rendered "harmless" by the use of Noscript.

This estimate resulted in nearly 80%.
The result was obtained with Noscript with the default settings.

P.S. And my Noscript setting is not default.;)
 
Last edited:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
@Lenny_Linux

Pale Moon was also vulnerable to CVE-2019-17026.
Roytam1 ported the patch to XP yesterday:


These changes compared to the previous week in the browser:

Official UXP changes since my last build:
- Issue #1338 - Part 1: Update NSPR to 4.24 (f7d301332)
- Issue #1338 - Part 2: Update NSS to 3.48-RTM (f4a12fc67)
- Issue #1338 - Part 3: Update NSS symbols (c097dcf7f)
- Issue #1338 - Part 4: Initialize NSS with desired run-time values. (24f97a168)
- Issue #1338 - Part 5: Clobber for NSS update (b1694ef0a)
- Merge pull request #1341 from MoonchildProductions/nss-work (e30d68b69)
- Issue #1345 - Implement non-standard legacy CSSStyleSheet rules (b4d686d62)
- Merge pull request #1346 from JustOff/PR_CSSStyleSheet_legacy (c66b70c4d)
- Reject sample rates that are out-of-range for libsoundtouch. (c03265177)
- Bug 1322938 - Basic implementation of HTMLDialogElement. (2e3b937f4)
- Bug 1322938 - Emit close event when HTMLDialogElement.prototype.close() is called. (ef2cd8749)
- Bug 1322938 - Update <dialog> element Web Platform Tests expected results. (a4011e724)
- Bug 1322938 - Put <dialog> element behind preference. (b91b0c37e)
- Bug 1322938 - Make the HTML tree builder aware of <dialog>. (25e85f99c)
- Bug 1379728 part 1. Remove the double-definition of the 'close' event from EventNameList.h. (52bda2a82)
- Issue #1348 - Part 1: Clean up input scope support for IMM32. (1672355a7)
- Issue #1348 - Part 2: Teach IMEState about Private Browsing mode. (8ae047bbb)
- Issue #1348 - Part 3: Set IS_PRIVATE input scope in private browsing. (d79cc5fb4)
- Merge pull request #1347 from g4jc/html5_dialog (29bf28ca3)
- Simplify value setting. (d429ac8a6)
- Be more consistent about decoding IP addresses in PSM. (8198126c3)
- Make copy of list before iterating over it. (51b1cd97a)
- Handle missing base64 challenge in NegotiateAuth and NTLMAuth. (0186023f4)
- Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux. (936577621)
- Update GTK clipboard handling (095a02f25)
- Issue #1338 - Followup: certdb: propagate trust information if trust module is loaded afterwards, (f64e760ab)


Official Pale-Moon changes since my last build:
- Issue #1703 - Update UA overrides for Google and YouTube (832effab3)
- Block Noveau NV96 mesa driver layers acceleration. (b7841e5cf)


There are no new Official Basilisk changes since my last build.


My changes since my last build:
- ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794)

Thank you very much for asking your question yesterday.(y);)
So the MT community can verify how it is possible to use XP still today safely.

Thanks again.:)
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
@Sampei Nihira May I ask an off-topic question? Where do you find the security updates for XP? Is there a complete list of must-installed patches?

After the end of extended support (2014) you need to make a change to the registry to use POSREADY updates.
I insert you 2 3D to get some info on the topic you asked for:


 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
There is an update to 2020 that I had not read in the article, in the final part.
I put it to your attention:


Procdump is no longer needed.
Be careful of rundll32.exe.
My rule in OSA was already selected:

300.JPG

Take your precautions .(y);)
 
F

ForgottenSeer 823865

Interestimg approach, anyway rundll32.exe as abused process is old news.

Off topic: are you French (coz I am)? Because most of your links are French stuff.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top