Moving Beyond EMET II – Windows Defender Exploit Guard

Discussion in 'other anti-malware software' started by WildByDesign, Aug 9, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Moving Beyond EMET II – Windows Defender Exploit Guard
    August 9, 2017


    Link: https://blogs.technet.microsoft.com...eyond-emet-ii-windows-defender-exploit-guard/
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,192
    Location:
    Among the gum trees
    I wonder if this will be included in Home Edition? What if we are using a third party AV, will Exploit Guard still work?

    Then there's the compatibility with HMP.A and / or MB 3.x.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes and Yes. :thumb:
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,192
    Location:
    Among the gum trees
    Cool! Thanks @WildByDesign . :cool:
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    But would there not be compatibility issues with HMP.A or MB 3 anti-exploit module?
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,192
    Location:
    Among the gum trees
    I would guess, yes. Sounds like @erikloman and the MB dev's have some work to do. I've already disabled Exploit Protection in MB, not that I allow it to start with Windows these days though.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,638
    Location:
    Under a bushel ...
    I have done the opposite at the moment :). HMP.A has recently been somehow interfering with Windows cumulative updates, and I am also unable to run dism or sfc commands, unless I remove HMP.A.

    So I currently have MB3 set to start with Windows, with MBAE module only (previously I ran MB 3 only as an on-demand scanner, and only because I have a lifetime license). If the Lomans can find the problem, I will revert to HMP.A.

    But I guess I'll just use Exploit Guard when it comes. HMP.A does do extra stuff, and I guess the Lomans will program it to 'work around' Exploit Guard, like they did for MB 3 AE.

    .
     
    Last edited: Aug 10, 2017
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    The direction Microsoft has taken with security in Windows 10 has impressed me, ever since the first beta build of Windows 10 was released years ago.

    But I must say that both the improvements and the new implementations we saw Microsoft doing with Creators Update and now see with Fall Creators Update - it's simply amazing how much power are being added to everything in the entire Windows 10 threat protection stack.

    All the new mitigations with Windows Defender Exploit Guard.
    All the added capabilities in Windows Defender.
    All the improvements to the Microsoft Intelligent Security Graph.
    The Controlled Folder Access.
    The added mitigations and stronger sandboxing of Edge.

    And for enterprise, Windows Defender ATP now integrated into everything in the entire threat protection stack.

    And the list simply goes on and on. Tons more to mention.
    Perfect. :thumb:
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have been experimenting with the addition of EMET ROP mitigations in RS3 (Fall Creators Update / 1709) for several weeks now. All of these mitigations are enforced within kernel-mode which is great. Event Viewer has great details on mitigations which helps to track down malicious activities and/or troubleshoot mitigations causing problems.

    Event Viewer:
    Applications and Services Logs > Microsoft > Windows > Security-Mitigations
    From there you have a section for User Mode mitigation events and Kernel Mode mitigation events.

    One of my favourite new(ish) mitigations is the Child Process mitigation. It works great for applications which do not normally spawn child processes.

    My testing so far has been fantastic. My one and only negative takeaway so far is that you cannot apply any of the EMET ROP mitigations from Exploit Guard in RS3 on Google Chrome (Chromium). This is super unfortunate because this is something that we can typically do with the EMET software itself to protect chrome.exe processes. However, EMET applies mitigations differently in comparison to Exploit Guard in RS3. RS3 has all of these mitigations applied in kernel mode, whereas EMET had to use shims to inject the DLL which applied mitigations. So without a doubt, RS3 is doing this much better. The problem here, though, is that these EMET ROP mitigations in RS3 seem to trigger a mitigation which is built into Chrome binary already which is Disable Win32k System Calls. Chrome already has that mitigation built into the binary and is applied by default to many of the chrome.exe child processes such as renderer processes and likely more. Essentially the ones which are in AppContainer.

    I've tried disabling AppContainer for Chromium and even tried manually disabling the Disable Win32k System Calls mitigation for the process but all attempts failed. Therefore I was not able to protect chrome.exe at all with any of these additional EMET ROP mitigations in RS3 which was unfortunate since this is something that we can do with the EMET software itself. However, EMET itself is blocked in RS3. So who knows, maybe this is a good thing and suggests that Chromium's sandbox is so effective that these mitigations fail to apply, I do not know. But I will do more testing over the coming weeks.

    One thing that is fantastic in RS3 is using the built-in PowerShell ProcessMitigations module to import/export the entire IFEO MitigationOptions settings.

    Code:
    Import (add changes to registry):
    Set-ProcessMitigation -PolicyFilePath Settings.xml
    
    Export (backup changes from registry):
    Get-ProcessMitigation -RegistryConfigFilePath Settings.xml

    Below is an example Settings.xml file which can be imported to another machine:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <root>
      <SystemConfig></SystemConfig>
      <AppConfig Executable="BouncerTray.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="false" OverrideMicrosoftSignedOnly="false" Audit="false" EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
        <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
      <AppConfig Executable="chrome.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
      <AppConfig Executable="EXCELC.EXE">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="false" OverrideMicrosoftSignedOnly="false" Audit="false"></SignedBinaries>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
      <AppConfig Executable="iexplore.exe">
        <ASLR Enable="false" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
      </AppConfig>
      <AppConfig Executable="KeePass.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
        <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
        <ChildProcess DisallowChildProcessCreation="true" OverrideChildProcess="false" Audit="false"></ChildProcess>
      </AppConfig>
      <AppConfig Executable="mscorsvw.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="ngen.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="ngentask.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="PresentationHost.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
      <AppConfig Executable="PrintDialog.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="runtimebroker.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="svchost.exe"></AppConfig>
      <AppConfig Executable="SystemSettings.exe">
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
      </AppConfig>
      <AppConfig Executable="thunderbird.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
        <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
        <ChildProcess DisallowChildProcessCreation="true" OverrideChildProcess="false" Audit="false"></ChildProcess>
      </AppConfig>
      <AppConfig Executable="Tray.exe">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <StrictHandle Enable="true" OverrideStrictHandle="false"></StrictHandle>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="false" OverrideMicrosoftSignedOnly="false" Audit="false" EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
        <Fonts DisableNonSystemFonts="true" AuditOnly="false" OverrideFontDisable="false" Audit="false"></Fonts>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
      <AppConfig Executable="WINWORDC.EXE">
        <DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
        <ASLR Enable="true" ForceRelocateImages="true" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
        <ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
        <ControlFlowGuard Enable="true" SuppressExports="false" OverrideCFG="false"></ControlFlowGuard>
        <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="false" OverrideMicrosoftSignedOnly="false" Audit="false"></SignedBinaries>
        <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>
        <Payload EnableExportAddressFilter="true" OverrideExportAddressFilter="false" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" OverrideExportAddressFilterPlus="false" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" OverrideImportAddressFilter="false" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" OverrideEnableRopStackPivot="false" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" OverrideEnableRopCallerCheck="false" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" OverrideEnableRopSimExec="false" AuditEnableRopSimExec="false"></Payload>
        <SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
        <Heap TerminateOnError="true" OverrideHeap="false"></Heap>
      </AppConfig>
    </root>
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I knew I had it but until you posted the even viewer info < I had not checked out much except the controlled folders option.

    looks like there s some conflict with Malwarebytes AE.
    I am posting ScreenHunter_84 Sep. 21 09.18.jpg a screen shot of Kernel logs.
     
  11. guest

    guest Guest

    This is expected.
    It seems you are protecting Microsoft Edge with MBAE and it wants to inject the file "mbae64.dll".
    The native protection of Windows "Exploit Guard" is preventing the injection of the "non-Microsoft-signed binary".
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I disabled MBAE for now;)
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,334
    Location:
    Italy
    Hi WildByDesign.
    Is possible have a result at the Exploit Test Tool (HPA3)
    TH.


    I did the Test
    Little satisfaction.:(

    ______________________________________

    Enabled Chrome Anti-Exploit Protection.


    :):thumb:
     
    Last edited: Oct 18, 2017
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,334
    Location:
    Italy
    Hi.
    My Chrome Anti-Exploit Protection:


    @ WildByDesign

    you have also included the mitigation under:


    <SignedBinaries EnforceModuleDependencySigning="true" OverrideEnforceModuleDependencySigning="false"></SignedBinaries>
    <ImageLoad BlockRemoteImageLoads="true" OverrideBlockRemoteImageLoads="false" BlockLowLabelImageLoads="true" OverrideBlockLowLabel="false" PreferSystem32="true" OverridePreferSystem32="false" AuditRemoteImageLoads="false" AuditLowLabelImageLoads="false"></ImageLoad>

    Can you explain?
    TH.
     
  15. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden

    What do I do wrong?

    Trying to import your settings by typing this in powershell (admin):

    Set-ProcessMitigation - C:\Users\XXX\Desktop test.xml

    I get this message:

    Set-ProcessMitigation : A positional parameter cannot be found that accepts argument 'C:\Users\XXX\Desktop'.
    At line:1 char:1
    + Set-ProcessMitigation - C:\Users\XXX\Desktop test.xml
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: :)) [Set-ProcessMitigation], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsC
    ommand
     
    Last edited: Oct 22, 2017
  16. guest

    guest Guest

    Try this:
    Code:
    Example for Export:
    Get-ProcessMitigation -RegistryConfigFilePath C:\Users\XXX\Desktop\export.xml
    Example for Import:
    Set-ProcessMitigation -PolicyFilePath C:\Users\XXX\Desktop\test.xml
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Thank you! Working so much better now. :) Also @WildByDesign, thank you for the Chrome/Word/Excel anti-exploit settings! I assume you added all possible exploit protection without breaking any functionality!
     
    Last edited: Oct 22, 2017
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,334
    Location:
    Italy
    Chrome:

    http://sendvid.com/gcftah7j
     
  19. I'm still using EMET 5.5 Software on Windows 7 Operating System, not a big Windows 10 fan and stuff. Yet another Windows 10 UAC bypass found and older versions of EMET hacked. Plus I've bypassed EMET 5.5 using (RCE) Remote Code Execution exploits. Also working on Perl binary exploits with success. :rolleyes: Well EMET does a great job in blocking code injection from memory the same as Windows 10 Security and Microsoft Edge! Plus Anti-Virus Software are not detecting exploit binary files.
     
  20. Code looks good, I use EMET 5.5 Software and add Google Chrome process!
     
  21. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Since I'm on Windows 10 LTSB, I rely on MBAE for anti-exploit mitigation protection.
     
  22. Last edited by a moderator: Jan 11, 2018
  23. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    My version of Windows only gets service updates and security patches, no new features.

    That will change with the next LTSB build due out next year.
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    RS3 MitigationOptions Bit Mask Map (Work In Progress)
    * I still need to get a hold of some new RS4 mitigations

    Code:
    
                             ________________________________________________>Validate Exception Chains (SEHOP)
                            | _______________________________________________>Data Execution Prevention (DEP)
                            ||  _____________________________________________>Validate Heap Integrity
                            || | ____________________________________________>Force Randomization (Mandatory ASLR)
                            || ||  __________________________________________>High Entropy ASLR
                            || || | _________________________________________>Randomize Memory (Bottom-up ASLR)
                            || || ||  _______________________________________>Disable Win32k System Calls
                            || || || | ______________________________________>Validate Handle Usage
                            || || || ||  ____________________________________>Arbitrary Code Guard (ACG)
                            || || || || | ___________________________________>Disable Extension Points
                            || || || || ||  _________________________________>Code Integrity Guard (CIG)
                            || || || || || | ________________________________>Control Flow Guard (CFG)
                            || || || || || ||  ______________________________>Block Remote Images
                            || || || || || || | _____________________________>Block Untrusted Fonts
                            || || || || || || ||  ___________________________>Prefer System32 Images
                            || || || || || || || | __________________________>Block Low Integrity Images
                            || || || || || || || ||  ________________________>Validate Image Dependency Integrity
                            || || || || || || || || | _______________________>
                            || || || || || || || || ||  _____________________>
                            || || || || || || || || || | ____________________>Control Flow Guard (CFG) - Strict CFG
                            || || || || || || || || || ||  __________________>Validate API Invocation (CallerCheck)
                            || || || || || || || || || || | _________________>Validate Stack Integrity (StackPivot)
                            || || || || || || || || || || ||  _______________>Export Address Filtering (EAF)
                            || || || || || || || || || || || | ______________>Simulate Execution (SimExec)
                            || || || || || || || || || || || ||  ____________>Do Not Allow Child Processes
                            || || || || || || || || || || || || | ___________>EAF+ - Validate Modules
                            || || || || || || || || || || || || ||  _________>Validate Image Dependency Integrity
                            || || || || || || || || || || || || || | ________>Import Address Filtering (IAF)
                            || || || || || || || || || || || || || ||  ______>
                            || || || || || || || || || || || || || || | _____>
                            || || || || || || || || || || || || || || ||  ___>
                            || || || || || || || || || || || || || || || | __>
                            || || || || || || || || || || || || || || || ||
    "MitigationOptions"=hex:11,12,11,11,11,11,11,11,10,01,11,11,11,11,00,00
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.