EMET (Enhanced Mitigation Experience Toolkit)

@WSpu
EMET 5.5 isn't affected from your mentioned thing -> "and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1)" so seems the latest version doesn't have these kind of problem. The mentioned CVE in this article was already fixed with 5.1.

From what I know and my own research on this says that there is currently no hole.

 

This person withdrawn his post.

 

The related FireEye article is especially detailed and interesting.

Link: https://www.fireeye.com/blog/threat-research/2016/02/using_emet_to_disabl.html

 

@WildByDesign

With EMET 5.5 EAF now also sets an additional guard page on NTDLL to kill more shellcodes.

 

I have added these Attack Surface Reduction settings for all Office (2007) applications: HTML, flash, Javascript, Visual Basic script and dotNet execution interpreter. EMET ASR prevents these components to load so they cannot be abused by code embedded in the content of documents, spreadsheets, presentations, et cetera.



Note: I have disabled early warining (EmeT phone home) and tray icon. You need to disable tray icon to stop EMET showing warnings of dot Net execution interpreter being blocked when starting office apps. Since no dot Net is executed, all Office Aps function normally (same happens when you don't disable javascript in Outlook, EMET will throw a pop-up, but Outlook works normally).

 

Hi Kees,

What about PDF readers. Shouldn't they also be given similar protection?

Phil

 

Yes, you are totally right

I use Edge as PDF Reader (disabled IE11 and WMP)

• Create a block rule for Edge in Windows Firewall
  (simply change the allow rules to block for both inbound and outbound)
• Disable Flash in Edge
  settings>view advanced settings>Use Adobe Flash (OFF)
• Disable Javascript in Edge
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
  "1400"=dword:00000001

Since Edge is a new application which is compiled with Control Flow Guard, so EMET does not (need to) protect it

 

@Windows_Security :

May I suggest you a much easier method that also happens to have a higher degree of daily usability ??

Instead of applying all those settings you mention, then you can just use the Microsoft Reader app.
If you don't have it installed, then it's free in the store.
It handles PDF, XPS and TIFF files.

1. No need to block it in firewall, since it will not connect out.

2. No need to block Flash, since it does not use Flash.

3. No need to go in registry to disable JavaScript.
The Microsoft Reader app has a easily accessible switch in its settings to enable/disable JavaScript.

So on a daily basis you have JavaScript disabled and whenever you need to fill out a form then you just enable JavaScript in app settings, fill out the fields in your form, mail or print it, disable JavaScript again right there in apps settings.
Much easier then having to go into registry whenever you need JavaScript enabled.

4. Microsoft Reader is a UWP app like Edge and are also compiled with Control Flow Guard, and just like Edge it also runs sandboxed in Appcontainer, so no need to worry about protecting it any further.

Thought I would mention it, since it's a lot easier to just set the Reader app to default PDF handler and then have the JavaScript switch easily accessible.

 

Try to manually change the IL.
With Windows 7 + Sumatra PDF (my reader pdf offline) ,does not work the level untrusted.
I used Mark Minasi Tool.


http://sendvid.com/fw5embf2

 

emule really? ....

Just use Sumatra and block internet it's enough.

 

The pc is of my daughter.

 

Cool thx, but I still use Egde as PF reader, because i did all the trouble already on my PC, will add this to wife's laptop because she uses Edge as browser.

 

hi guys. may i ask you a simple question?
i just installed emet. i set recommended configurations at the beginning. but now i try to open it but nohing appears: i mean i see the process in background,the icon beside the clock on the bottom right, but i can't open it apparently.
i use a standard account ,so it asks me a password,i type it, it',s ok it doesn't say it is wrong, but then the window closes

thank you in advace


EDIT: tried to reinstall. nothing

 

problem solved. it has to be installed by admin



a question: i am not an expert,so i would go with recommended settings. if i stay in this way, it is useful anyway or it's like not have it? thank you

 

@amarildojr 's tutorial for allowing EMET to recognize changes to DEP settings on Home Editions of Windows.
Link: https://www.wilderssecurity.com/thre...p-settings-on-home-edtions-of-windows.384930/

 

@ WildByDesign

With EMET 5.5 on a OS W.10 you run the Exploit Test Tool (HPA3 ver 1.9.2)?
Score?

TH.

 

@Sampei Nihira I am running EMET 5.5 on Windows 10 still, but I have not specifically tested Exploit Test Tool against EMET as of yet. I can give that a try later if I've got some extra time. Do I need to add the Exploit Test Tool executable to EMET's list of configured Apps? Or is there any other specific configuration within EMET that I need to set prior to running the Exploit Test Tool?

 

TH.
Just add the Exploit Test Tool executable to EMET's list.

It can be of help to others:

https://forums.malwarebytes.org/topic/182013-w10-mbae-not-support-the-apps-level-appcontainer/

 

@Sampei Nihira Preliminary testing results: Windows 10 Pro 64-bit, EMET 5.5, hmpalert-test version 1.9.2 32-bit. Unfortunately Surfright isn't offering the 64-bit exploit test tool recently, not sure how much of a difference that would make.

EMET 5.5 let the following slip through:

• Unpivot Stack
• ROP - Wow64 bypass
• ROP - Exploit Wow64
• ROP - system() in msvcrt - partial
• ROP - VirtualProtect() via CALL gadget
• Heap Spray 1
• Heap Spray 2
• Heap Spray 3
• Anti-VM - VMware
• Anti-VM - Virtual PC
• Webcam test (not an exploit)
• Keyboard logger (not an exploit)

This was not testing using AppContainer, though. I am still trying to figure out how to test EMET with AppContainer appropriately.

 

TH.

 

EMET 5.51 released!
Link: https://www.microsoft.com/en-us/download/details.aspx?id=53354

Also, the EMET support article has been updated as of 08/02/2016.
Link: https://support.microsoft.com/en-ca/kb/2458544


Updated user guide: https://www.microsoft.com/en-us/download/details.aspx?id=53355

EDIT: Apparently 20+ new skins/themes added. That was unexpected.

 

From user manual (5.5 and 5.51):

EDIT: Here is a bit of info that I found from the previous release 5.5 manual, a change brought forward with that 5.5 release (which of course is still relevant with 5.51 release):

 

Nice, no tweaking needed on installing 5.51 - even Chrome works with the default mitigations selected for it. I recall spending a loooong time getting some Softs to work with 4.1

 

Some phenomenal tips for blocking some specific bypasses by configuring EMET via group policy along with other great information. These could be configured via EMET GUI or registry as well.
Source: https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

 

Good news! I wish I could use them on my MBAE though.