EMET (Enhanced Mitigation Experience Toolkit)

i never said that EMET does, read my posts better please.

 

I am not the only one who interpreted the post I quoted as meaning to say that EMET and HMPA inject into the same processes. Even after I requoted the post you still dont see the need to edit it?

 

no, because i never said "emet inject dlls into every processes" i just said it also "inject dlls" , my post was to highlight that every Anti-Exploit have to inject dlls hence creating potential issues and not to say that EMET or MBAE were doing as HMPA which is not as everybody here knows. i practiced enough with all of them , observing which dlls they inject to not make that mistake.

I think you wrongly related it to my HMPA statement .

Sorry if i wasnt clear enough but for me it was obvious not needing to precise that fact.

 

Yes correct, but the developers of HMPA have explained that system wide injection is also needed for the safe banking and anti-ransom feature, but other competing products do not do this, so technically speaking it shouldn't be necessary. But this was the design that the developers chose.

 

Yes, the developer mentioned it in this post: #9723

Ok, now back to topic

 

EMET has been officially dropped from NSA's Information Assurance Secure-Host-Baseline today.(https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET).

 

So apparently with Windows 10 Creators Update, all of EMET features will now be baked into the operating system with the use of Powershell and can utilize EMET .xml configurations. According to a Microsoft security developer, this mitigation functionality will also include the hugely popular EMET ASR (attack surface reduction) feature and cert pinning.

Mitigations plus ASR plus cert pinning plus CFG plus RFG = Significant security news for Windows 10 Creators Update

Source: https://twitter.com/dwizzzleMSFT/status/819226684163432448

Source: https://twitter.com/Carlos_Perez/status/819237510861717505

Source: https://twitter.com/dwizzzleMSFT/status/819238616119422977

 

Thank You WildByDesign for your ever vigilance to the things that matter for all of us Windows end users.

 

I don't think Martin Brinmann' observations on the W10~EMET puzzle have been linked here:

Microsoft: Windows 10 makes EMET unnecessary. Study: Nope

http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/

 

@clubhouse1 Nice find.

Comparisons are interesting.

 

EMET survey regarding future integration into Windows 10

Link: https://microsoft.qualtrics.com/jfe/form/SV_cYoqiaHAzX338AR

EDIT: Interesting...

 

The main feature(s) of Windows 10 Creators Update (1703) that was expected to not only make EMET irrelevant, but also make EMET not function correctly at all, was the combination of Control Flow Guard (CFG) and Return Flow Guard (RFG). So now that RFG has been dropped from Windows 10 Creators Update, EMET is still very much relevant in my opinion and runs/functions flawlessly.

So I just wanted to confirm that with build 15063 (Windows 10 Creators Update 1703 RTM) EMET installs without issue and functions as per normal. Although I do not expect Microsoft to change their mind to support EMET on 1703.

When Creators Update is officially released, Microsoft is expected to release a detailed blog/guide on how to replicate EMET features in Windows 10 by using Powershell commands to enable/disable mitigations.

 

An update to the EMET support article (https://support.microsoft.com/en-ca/help/2458544/the-enhanced-mitigation-experience-toolkit) from Apr 11, 2017:

That is what we all essentially had expected. However, what is interesting to me is the "EMET will not be supported or operable on Windows versions that are released after Windows Server 2016 and Windows 10 version 1703" point. That is quite interesting to state that EMET (which uses many built-in Windows mitigation methods/options) would not be "operable" on future versions of Windows 10.

Also what is of interest to me is whether or not those core operating system security changes would also render other anti-exploit software (or potentially anti-virus software) inoperable as well. Whether third-party anti-exploit or anti-virus would even be necessary on future versions of Windows 10 is debatable. But whether or not they would be operable is quite interesting to see how this plays out. I assume this has more to do with Return Flow Guard (RFG) making a return in future versions. But there could be more to it.

 

the word "operable" is very interesting, i'm curious to see the implications too.

 

I've had some time to put some more thought into this. And I don't think that it will be quite as damaging as I first thought. I believe that this will be more than just CFG+RFG.

My best guess here is that there will be major changes with regard to Application Compatibility (AppCompat) which is the Shim Engine (http://www.alex-ionescu.com/?p=39 old article but covers shimming well) in which EMET uses to inject into processes to protect them utilizing Application Compatibility Databases (.SDB files) similar to which Windows itself uses for many compatibility fixes and much more. I've seen some hints at changes coming to AppCompat at some point and that is likely what is expected in the next major upgrade/milestone for Windows 10 and would make sense that EMET would no longer be "operable" if major changes occur to AppCompat. These would be important changes with regard to overall Windows security in general and therefore necessary. The hints that I have seen here and there refer to enforcing digital signing of .SDB files and verifying those signatures prior to AppCompat injections to thwart malware utilizing AppCompat for malicious purposes. Although there is likely more to it beyond my best guesses.

I have always been a die-hard fan of EMET, however EMET has been officially uninstalled from my machines for several weeks and I will be looking forward now as opposed to looking back.

 

@WildByDesign So are you still Using EMET on Win10 CU?

 

No. No need for EMET anymore with CU since there are so many mitigations in place. Although I still do run MemProtect just in case operating system protections fail. MemProtect has been fantastic particularly with fileless malware since protected processes contain the malicious activity even if the process was compromised.

 

Source: https://twitter.com/aionescu/status/876482815784779777

 

Therefore, built into the Windows 10 RS3 (Fall Creators Update) we will have the following mitigations from EMET:

• Export Address Table Access Filtering (EAF)
  
• Export Address Table Access Filtering Plus (EAF+)
  
• ROP - Caller checks
• ROP - Simulate execution flow
• ROP - Stack pivot
• Import Address Table Filter (IAT)

Keep in mind, those are the remaining EMET mitigations that had not yet made it into Windows 10. All other EMET mitigations are already in Windows 10. EMET has officially been swallowed up by Windows 10 and therefore no longer needed.

 

This is awesome news indeed. I have not been using EMET since I installed CU. Looking forward to the rest of it being implemented into the fall CU update.

 

Awesome.

The others are naturally no less just as important but this one (for table jumpers) is all too familiar for me from the userland rootkits/dll injects if memory still serves released on the previous platforms.

• Import Address Table Filter (IAT)

Happy to see it included.

 

@Trooper @EASTER Even more great news!

Source: https://twitter.com/markwo/status/876644805249511424

Therefore, that means that these super important (and still relevant) mitigations from EMET plus the dozens or so other mitigations already built into Windows 10 will all be able to be configured per-process via IFEO MitigationOptions regkeys (either manually or simple GUI of GFlagsX) or several other ways to configure via group policy, PowerShell, etc.

This is going to be powerful and granular. Much more to it in comparison to EMET, though minus the fancy GUI which EMET had going for it. I prefer GFlagsX over EMET anyway.

 

This is indeed awesome news. Thanks for keeping us all up to date @WildByDesign

 

Ye ikes! Beneficial array of added mitigations are indeed something of a game changer but it remains to be seen what other vectors coverage from 3rd parties will help round things out, or seal the deal so-to-speak. Excubits MemProtect I know is one members really favor and for good reason. I may be putting that one into operation soon myself but am trying to nail down basics first.

This takes some time and effort and some trial and error but the granularity is welcome of course.

Are there any basic rulesets anyone else has found useful which might could be shared amongst members of different Win 10 series where they might be applied as a starting point for these current releases? I mean 1511. 1607, 1703 and the like.

I finally got around to moving up to 1703 CU, but added EMET because GFlags GUI is in the way and is not adjustable for size differences on this end.

Am I missing something to that?

As for GFlags, as nice a GUI as it is with the clear layout for user config mitigations, again I repeat, it won't let you adjust the window box size so some of it is under the bottom of the taskbar on my machine and that's a bit of an annoyance. Maybe it was overlooked? I have a set 1366x768 Landscape which I need for optimum visual.

 

If you are referring to IFEO MitigationOptions registry settings backups via XML files, I don't believe that there are any public repos yet in which users can share configurations or any shared by Microsoft either yet. The ProcessMitigations PowerShell in particular actually makes it quite easy to import/export all of these MitigationOptions individually or as a whole. But unfortunately that is all command line at the moment. I am looking forward to see what kind of UI implementation MS adds to Windows Defender Security Center with regard to process mitigations. they have been doing numerous surveys to get an idea of what kind of UI or config experience admins and enterprises want/need.

I experience this with GFlagsX as well. It is a bit "wonky" for the fact that the UI cannot be resized, I agree. I will try to suggest this with the developer since I've got a bit of communication going with him so far. I have the same resolution as well and it covers up part of the task bar when I use it. But luckily once you've got your MitigationOptions all set, you really don't need to open GFlagsX up anymore for quite some time. I'll let you know if the developer is open to allowing the UI to resize if I hear back from him on that.