EMET (Enhanced Mitigation Experience Toolkit)

Discussion in 'other anti-malware software' started by luciddream, Apr 1, 2013.

  1. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I don't think that v5.51 will be the last release though. ;)
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    EMET Mitigation Test Kit
    Link: https://github.com/0xbadfca11/mitigation_test

    Seems to have been around for a few years but has recently been updated.


    Anyway, my main purpose with EMET in recent times has simply just been an easy way to enabled/force system-wide mitigations, as opposed to injecting the EMET DLL into processes and dealing with perf issues or stability issues. Particularly I appreciate enabling the forced system-wide ASLR for all processes. The only two processes that I still have EMET injecting is regsvr32 and rundll32 particularly for the ASR functionality to block specific modules known for application whitelisting bypasses (see https://github.com/iadgov/Secure-Ho...r32-application-whitelisting-bypass-technique). However, in the past few days I have been experimenting with ways to achieve similar functionality to EMET ASR but with Bouncer and/or MemProtect to block specific modules. I will share those rules in the appropriate threads once I've finished testing it some more.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  4. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    The reason for this is:
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    5.52 released!

    Download: https://www.microsoft.com/en-us/download/details.aspx?id=54264
    User Guide: https://www.microsoft.com/en-us/download/details.aspx?id=54265

     
    Last edited: Nov 15, 2016
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Rasheed187 @ropchain With regard to that ISC diary which you were mentioning, Didier Stevens has now posted a followup in in which he further tested the initial sample but also went a step further to create his own sample for additional testing. It appears that, in conclusion, Windows 10 (without EMET) does not stand up to VBA shellcode at all on it's own.

    Link: https://isc.sans.edu/diary/VBA Shellcode and Windows 10/21729

     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I didn't understand all the details, but I don't see how this would come as a big surprise, since Win 10 on its own will not block process hollowing, but perhaps I'm missing something.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Windows 10 Cannot Protect Insecure Applications Like EMET Can
    https://insights.sei.cmu.edu/cert/2...tect-insecure-applications-like-emet-can.html
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    can you share the configuration you got for those 2 processes please?
     
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Yeah MS wants to push Win10 on all customers in sneaky and fishy ways..
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Since the Carnegie Mellon University CERT/CC blog post (https://insights.sei.cmu.edu/cert/2...tect-insecure-applications-like-emet-can.html) that @BoerenkoolMetWorst posted here a few days ago, there has been quite a bit more attention in technology news that brings more light to EMET being discontinued.

    It's good to see more pressure on Microsoft here. Despite EMET development falling behind here and there, being a toolkit as such, it certainly has the potential for newer mitigations and techniques to be updated within this toolkit. My hope still is that Microsoft decides to open-source EMET as soon as possible, prior to EOL.


    windows_mitigations_updated.png
    -Credit to Will Dormann (https://twitter.com/wdormann) of Carnegie Mellon University CERT/CC.


    CERT to Microsoft: Don't Kill EMET, Windows 10 Is Not as Secure as You Think
    Link: http://www.bleepingcomputer.com/new...met-windows-10-is-not-as-secure-as-you-think/

    CERT: Windows 7 with EMET is more secure than Windows 10, so don't retire EMET
    Link: https://www.neowin.net/news/cert-wi...re-secure-than-windows-10-so-dont-retire-emet

    CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security
    Link: http://www.theregister.co.uk/2016/1...t_even_win_7_emet_is_better_than_solo_win_10/

    Report: Windows 10 is less secure than Windows 7 with EMET
    Link: https://mspoweruser.com/report-windows-10-less-secure-windows-7-emet/
     
  13. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Is Windows 8 the same as 7 as far as security and the entries in the table is concerned?
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is just a guess here since my experience with Windows 8.x is rather limited, but my understanding is that Windows 8.x did have some increased security as a step up from Windows 7. But as far as the particulars go, I am not 100% sure. I know that things such as AppContainer were added. But when it comes to specific mitigations, it is quite possible that there may be a difference between Windows 7 and Windows 8.x. Even the same mitigations could be slightly enhanced as well. I just don't have the particulars. Hopefully somebody with more in depth experience with regard to the security additions to Windows 8.x can chime in here. I don't believe that Microsoft provided as many detailed documents with Windows 8.x with regard to security components in comparison to what they share now with Windows 10. Although we can certainly see what third-party security researchers have dug up as well. I apologize that my answer is not very specific.
     
  15. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    Wow, that is super revealing. I thought there was a swath of EMET protection in native W10 - I was wrong wrong wrong. The most aggravating aspect of this, is that like with other really good stuff they come up with, they just abandon it for the most illogical reasons. Maybe they are porting EMET (and renaming it) as a paid product/service for the enterprise.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I was able to dig up some great information showing how much security has evolved with Windows 8.x since Windows 7 making it stand out quite a bit. I will place in spoiler since this is slight off topic.

    A quote from (https://technet.microsoft.com/en-us/library/dn283963(v=ws.11).aspx) that details how much ASLR has improved in Windows 8 over Windows 7 and also improved Windows heap:


    Also some solid information:

    What's Changed in Security Technologies in Windows 8
    Link: https://technet.microsoft.com/en-us/library/dn169048(v=ws.11).aspx

    What's Changed in Security Technologies in Windows 8.1
    Link: https://technet.microsoft.com/en-us/library/dn344918(v=ws.11).aspx

    Therefore it appears that security mitigations in general improved even more with Windows 8.1 in many ways, much the same as how Windows 10 has improved security greatly with each major upgrade. But also with Windows 8.1 came the ability to run LSA (lsass.exe) as a protected process light (see: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx) but proceed with caution with the LSA PPL trick because it does require Secure Boot and I do believe that it is difficult to revert that change.
     
  17. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Wow! Many thanks @WildByDesign. I appreciate you going to the trouble of finding out this information for me. I'm still using 8.1 on one of my machines so this will be very useful.
     
  18. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    Windows 10 Mitigation Improvements:
    https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

    Data Driven Software Security:
    http://gsec.hitb.org/materials/sg2016/COMMSEC D1 - Sweety Chauhan - Data Driven Software Security.pdf
     
  19. guest

    guest Guest

    EMET enabling secondary logon service is surely an issue (for some) because of that
     
    Last edited by a moderator: Nov 26, 2016
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, the death of EMET is good news for MBAE and HMPA, even on Win 10 you still need them, as shown in the report.
     
  21. guest

    guest Guest

    but at least EMET doesnt need dozen of updates a month because it breaks things :D
     
    Last edited by a moderator: Nov 26, 2016
  22. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    and that is sadly HMPA's current achilles heel.
     
  23. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    https://www.microsoft.com/emet/
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    So are you saying that EMET doesn't cause too many problems? But yes I agree, I'm a bit shocked when I see how many problems are reported in the HMPA thread. That's why I have chosen not to install it, and I'm already protected against exploits quite well with my Sandboxie + EXE Radar combo.
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Keep in mind that the HMPA thread is mostly about BETA versions. So obviously there are many issues in that thread.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.