Process Mitigation Management Tool

Discussion in 'other anti-malware software' started by WildByDesign, Apr 2, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    The Process Mitigation Management Tool is a Powershell module/cmdlet to manage advanced process mitigatons on Windows 10 (Creators Update, may work on others) and is the current implementation of a followup to EMET (Enhanced Mitigation Experience Toolkit).

    This tool allows you to manage process mitigations and also import EMET policy .xml files (including your own custom exported EMET configs). Microsoft is currently running some surveys on how to improve upon this Process Mitigation Management Tool.

    Link: https://www.powershellgallery.com/packages/ProcessMitigations/

    Install: PS> Install-Module -Name ProcessMitigations

    Commands:
    Code:
    Set-ProcessMitigations
    Get-ProcessMitigations
    ConvertTo-ProcessMitigationPolicy
    Help:
    Code:
    get-help Set-ProcessMitigations
    get-help Get-ProcessMitigations


    And so “without further adieu”...


    Process Mitigation Management Tool


    The Process Mitigation Management Tool provides functionalities to allow users to configure and audit exploit mitigations for increased process security or for continued enforcement of EMET policy settings.


    Exploit Mitigations

    The Process Mitigation Management Tool offers six new functionalities (Enumerate, Enable, Disable, Save, Apply, Convert) to cover basic settings configuration for the following Windows 10 exploit mitigations:

    1. DEP (configurable via EMET)
    2. DEPATL
    3. SEHOP (configurable via EMET)
    4. MandatoryASLR (configurable via EMET)
    5. BottomUpASLR (configurable via EMET)
    6. HighEntropyASLR
    7. CFG
    8. NoRemoteImages
    9. NoLowLabel
    10. PreferSystem32
    11. FontDisable (configurable via EMET)
    12. AuditNonSysFonts
    13. MicrosoftSignedOnly
    14. StoreSignOnly
    15. ExtensionPointDisable
    16. SystemCallDisable
    17. StrictHandleCheck
    18. ProhibitDynamicCode
    19. AllowThreadOptOut

    Functionalities

    The **Enumerate** functionality generates a list of running process mitigation settings or a list of registry mitigation settings for a particular process, which the user specifies by process name or process ID.
    The **Enable** and **Disable** functionalities respectively enable and disable registry settings for a process mitigation.


    Examples

    Code:
    | Sample usage |  Sample PowerShell |
    |--------------|--------------------|
    | **Enumerate** running process settings for a Notepad instance based on process name. |  Get-ProcessMitigation -Name notepad.exe |
    | **Enumerate** registry settings for Notepad based on process name. | Get-ProcessMitigation -Name notepad.exe -Registry |
    | **Enumerate** running process settings for a Notepad instance based on process ID. | Get-ProcessMitigation -Id 1304 |
    | **Enable** SEHOP and **disable** MandatoryASLR and DEPATL registry settings for Notepad. | Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL |
    | **Save** registry settings (process mitigation policy) for all supported process mitigations. | Get-ProcessMitigation -Save settings.xml |
    | **Apply** registry settings (process mitigation policy) for all supported process mitigations. | Set-ProcessMitigation -File settings.xml |
    | **Convert** from EMET policy settings to registry settings (process mitigation policy) for relevant process mitigations.| ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml |

    Caveats
    • Windows 10 systems will still enforce certain high-value protections (DEP, CFG, etc.) for most/all processes, even if these mitigations have been disabled in registry settings (process mitigation policy) by the user.
    • The **Enumerate** functionality’s result for the SEHOP mitigation setting is unreliable.
    • The **Convert** functionality, when given an EMET policy file as input, ignores any ASR rules in the EMET policy that contain module wildcards, as well as any mitigation settings in the EMET policy for which there is no Windows 10 counterpart.
     
    Last edited: Apr 3, 2017
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    Interesting, so this is the embryonic replacement of EMET made as a built-in security feature?
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Correct. Apparently also includes ASR function to block DLL injections as well but I have not figured it all out yet. Package contains ProcessMitigations.dll among other interesting binaries. Microsoft is expected to write a detailed blog for the usage of this tool once Creators Update is officially released.
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    Great. I will wait for it.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Process Mitigation Management Tool has been updated to version 1.0.5 with many usability fixes and documentation updates.

    Regarding my post over in the Windows build-in Sandbox thread (https://www.wilderssecurity.com/threads/windows-build-in-sandbox.386322/page-3#post-2656120) I had shared a link dealing with MitigationOptions (QWORD) registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

    Link: https://raw.githubusercontent.com/TheRyuu/theryuu.github.io/master/ifeo-mitigationoptions.txt

    This new Process Mitigation Management Tool utilizes those same registry entries and essentially the same as EMET as well. However, the bitmask seems to be extended more with Windows 10 Creators Update. There were 15 digits to the bitmask when used with Anniversary Update. But now with Creators Update, I am seeing 16 digits and potentially more but I have to do some more testing. Therefore this means that there are some additional process mitigations included with Creators Update but not necessarily widely documented at the moment.

    Here are some updated usage syntax from the help files:

    ---
    external help file: processmitigations.dll-Help.xml
    online version:
    schema: 2.0.0
    ---

    # ConvertTo-ProcessMitigationPolicy

    ## SYNOPSIS
    Converts an mitigation policy file formats.

    ## SYNTAX

    ```
    ConvertTo-ProcessMitigationPolicy -EMETFilePath <String> -OutputFilePath <String>
    ```

    ## DESCRIPTION
    Converts an EMET policy file or pinning rule file to a new Windows 10 format.

    ## EXAMPLES

    ### Example 1
    ```
    PS C:\> ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
    ```

    Converts EMET file policy.xml to result.xml, may also generate a CI file CI-result.xml if necessary.

    ## PARAMETERS

    ### -EMETFilePath
    {{Fill EMETFilePath Description}}

    ```yaml
    Type: String
    Parameter Sets: (All)
    Aliases: f

    Required: True
    Position: Named
    Default value: None
    Accept pipeline input: True (ByPropertyName, ByValue)
    Accept wildcard characters: False
    ```

    ### -OutputFilePath
    {{Fill OutputFilePath Description}}

    ```yaml
    Type: String
    Parameter Sets: (All)
    Aliases: o

    Required: True
    Position: Named
    Default value: None
    Accept pipeline input: True (ByPropertyName, ByValue)
    Accept wildcard characters: False
    ```

    ## INPUTS

    ### None

    ## OUTPUTS

    ### System.Object

    ## NOTES

    ## RELATED LINKS

    ---
    external help file: ProcessMitigations.dll-Help.xml
    online version:
    schema: 2.0.0
    ---

    # Set-ProcessMitigation

    ## SYNOPSIS
    Commands to enable and disable process mitigations or set them in bulk from an XML file.

    ## SYNTAX

    ### ProcessPolicy
    ```
    Set-ProcessMitigation [[-Name] <String>] [-Disable <String[]>] [-Enable <String[]>]
    ```

    ### FullPolicy
    ```
    Set-ProcessMitigation -PolicyFilePath <String>
    ```

    ## DESCRIPTION
    Used to turn on and off various process mitigation settings.
    Can also apply an XML file to apply settings for many processes at once.

    ## EXAMPLES

    ### Example 1
    ```
    PS C:\> set-ProcessMitigation -Name Notepad.exe -Enable SEHOP -Disable MandatoryASLR
    ```

    Gets the current process mitigation for "notepad.exe" from the registry and then enables SEHOP, and disables MandatoryASLR.

    ### Example 2
    ```
    PS C:\> set-ProcessMitigation -PolicyFilePath settings.xml
    ```

    Applies all settings inside settings.xml

    ## PARAMETERS

    ### -Disable
    Comma separated list of mitigations to disable.
    Disable list takes priority over enable list.
    If specified in both, it will be disabled.

    ```yaml
    Type: String[]
    Parameter Sets: ProcessPolicy
    Aliases: d
    Accepted values: DEP, DisableATL, SEHOP, ForceRelocate, BottomUpASLR, CFG, HighEntropyASLR, StrictHandleCheck, AllowThreadOptOut, SystemCallDisable, ExtensionPointDisable, ProhibitDynamicCode, MicrosoftSignedOnly, StoreSignOnly, FontDisable, AuditNonSystemFonts, NoRemoteImages, NoLowLabel, PreferSystem32

    Required: False
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ### -Enable
    Comma separated list of mitigations to enable.
    Disable list takes priority over enable list.
    If specified in both, it will be disabled.

    ```yaml
    Type: String[]
    Parameter Sets: ProcessPolicy
    Aliases: e
    Accepted values: DEP, DisableATL, SEHOP, MandatoryASLR, BottomUpASLR, CFG, HighEntropyASLR, StrictHandleCheck, AllowThreadOptOut, SystemCallDisable, ExtensionPointDisable, ProhibitDynamicCode, MicrosoftSignedOnly, StoreSignOnly, FontDisable, AuditNonSystemFonts, NoRemoteImages, NoLowLabel, PreferSystem32

    Required: False
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ### -Name
    Name of the process to apply mitigation settings to.
    Can be in the format "notepad" or "notepad.exe"

    ```yaml
    Type: String
    Parameter Sets: ProcessPolicy
    Aliases:

    Required: False
    Position: 0
    Default value: None
    Accept pipeline input: True (ByPropertyName, ByValue)
    Accept wildcard characters: False
    ```

    ### -PolicyFilePath
    {{Fill PolicyFilePath Description}}

    ```yaml
    Type: String
    Parameter Sets: FullPolicy
    Aliases: x

    Required: True
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ## INPUTS

    ### System.String

    ## OUTPUTS

    ### System.Object

    ## NOTES

    ## RELATED LINKS

    ---
    external help file: ProcessMitigations.dll-Help.xml
    online version:
    schema: 2.0.0
    ---

    # Get-ProcessMitigation

    ## SYNOPSIS
    Gets the current process mitigation settings, either from the registry, from a running process, or saves all to a XML.

    ## SYNTAX

    ### NameMode
    ```
    Get-ProcessMitigation [-Name] <String> [-DisplayRunningProcess]
    ```

    ### IdMode
    ```
    Get-ProcessMitigation [-Id] <Int32[]>
    ```

    ### SaveMode
    ```
    Get-ProcessMitigation [-RegistryConfigFilePath <String>]
    ```

    ## DESCRIPTION
    Gets all process mitigation settings either by process name (either running or from -Registry), or by process ID.
    Can also save all settings to an XML file.

    ## EXAMPLES

    ### Example 1
    ```
    PS C:\> Get-ProcessMitigation -Name notepad.exe -DisplayRunningProcesss
    ```

    Gets the current settings on all running instances of notepad.exe

    ### Example 2
    ```
    PS C:\> Get-ProcessMitigation -Name notepad.exe
    ```

    Gets the current settings in the registry for notepad.exe

    ### Example 3
    ```
    PS C:\> Get-ProcessMitigation -Id 1304
    ```

    Gets the current settings for the running process with Id 1304

    ### Example 4
    ```
    PS C:\> Get-ProcessMitigation -RegistryConfigFilePath settings.xml
    ```

    Gets the all process mitigation settings from the registry and saves them to the xml file settings.xml

    ### Example 5
    ```
    PS C:\> Get-Process notepad.exe | Get-ProcessMitigation -Save settings.xml
    ```

    Gets the mitigation settings for the result returned from Get-Process

    ## PARAMETERS

    ### -Id
    Process Id to retrieve current running process mitigation settings from

    ```yaml
    Type: Int32[]
    Parameter Sets: IdMode
    Aliases:

    Required: True
    Position: 0
    Default value: None
    Accept pipeline input: True (ByPropertyName, ByValue)
    Accept wildcard characters: False
    ```

    ### -Name
    Current process name to get current running (Or from registry) process mitigation settings from one (Can be more than one instance)

    ```yaml
    Type: String
    Parameter Sets: NameMode
    Aliases: n

    Required: True
    Position: 0
    Default value: None
    Accept pipeline input: True (ByPropertyName, ByValue)
    Accept wildcard characters: False
    ```

    ### -DisplayRunningProcess
    {{Displays the current mitigation settings for a specific process}}

    ```yaml
    Type: SwitchParameter
    Parameter Sets: NameMode
    Aliases: r

    Required: False
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ```yaml
    Type: SwitchParameter
    Parameter Sets: IdMode
    Aliases: r

    Required: True
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ### -RegistryConfigFilePath
    {{Fill RegistryConfigFilePath Description}}

    ```yaml
    Type: String
    Parameter Sets: SaveMode
    Aliases: s

    Required: False
    Position: Named
    Default value: None
    Accept pipeline input: False
    Accept wildcard characters: False
    ```

    ## INPUTS

    ### System.String
    System.Int32\[\]

    ## OUTPUTS

    ### System.Object

    ## NOTES

    ## RELATED LINKS

    Now, while this command line usage of Powershell for managing process mitigations is not exactly pretty or user friendly, it is absolutely powerful. The output from Get-ProcessMitigation for running processes is also quite interesting. I should also note that any GUI developer can easily come along and create a fancy GUI similar to EMET to check off mitigations in a nice way all while utilizing these Powershell ProcessMitigations cmdlets as a backend. Without a doubt, once Microsoft publishes a detailed blog about this and the transition from EMET, I am certain that some security researchers and developers will share some scripts to utilize these cmdlets and at some point a GUI will follow. For example, I am certain some developers over at MalwareTips forum would be interested in this as a backend for some system hardening tools.

    :
    Code:
    PS C:\WINDOWS\system32> Get-ProcessMitigation -Name chrome.exe -DisplayRunningProcess
    Process:        chrome
    Source:         Running Process
    Id:             3628
    DEP:
            Enable                      True
            DisableATL                  False
    
    ASLR:
            BottomUp                    True
            ForceRelocate               False
            HighEntropy                 True
            DisallowStripped            False
    
    StrictHandle:
            RaiseExceptionOnInvalid     True
            HandleExceptionsPermanently True
    
    SystemCall:
            DisallowWin32kSysCalls      True
    
    ExtensionPoint:
            DisableExtensionPoints      True
    
    DynamicCode:
            ProhibitDynamicCode         False
            AllowThreadOpt              False
            AllowRemoteDowngrade        False
    
    CFG:
            EnableCFG                   True
            EnableExportSuppression     False
            StrictMode                  False
    
    BinarySignature:
            MicrosoftSignedOnly         False
            StoreSignedOnly             False
            MitigationOptIn             False
    
    FontDisable:
            DisableNonSystemFonts       True
            AuditNonSystemFontLoading   False
    
    ImageLoad:
            NoRemoteImages              True
            NoLowMandatoryLabelImages   True
            PreferSystem32Images        False

    That is all for now. :thumb:
     
  6. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    Great info. Many thanks for sharing.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
  8. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,688
    Nice (and detailled) overview :thumb:
     
  9. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,473
    Is there already an app with an user interface for this?
    It shouldn't be hard I guess
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Not yet, unfortunately. This has not technically been announced widely to the public as of yet either. There should be a blog post with details for EMET users on how to convert over to this tool shortly after Creators Update becomes more widely released.

    One unfortunate thing that I found out after digging into some yet-to-be-released docs was that the EMET feature for ASR (attack surface reduction) used by this new mitigation toolset require VBS (virtualization based security) and therefore requires more modern hardware to utilize and also requires the use of Device Guard in particular. But with these new mitigation tools, I have finally uninstalled EMET for good. The latest update to these tools from yesterday, 1.0.7, added the ability to enable/disable system-wide mitigations in Windows now as well, similar to EMET. Yet far more granularity in comparison.

    Another interesting thing with this new mitigation toolset is that we can all share configurations here via .XML exports. This tool allows converting EMET .xml configs but also has it's own format to import/export these registry based mitigations also in a similar .xml format. So once I am a bit more comfortable with using this tool, I will start to share some testing mitigation configs for simple tools like Explorer++ and Speedyfox, just as really basic examples. But either way, this is proving to be quite powerful so far.

    EDIT: As far as ASR goes, I can replicate that much more efficiently with Bouncer anyway. And soon hopefully with MemProtect as well since .dll filtering may be coming at some point.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Some recognition for this new Process Mitigation Management Tool is finally starting to show up among security researchers along with the documentation going public now as well.
    Link: https://twitter.com/mattifestation/status/850525271035830274

    Mitigate threats by using Windows 10 security features
    Link: https://technet.microsoft.com/en-us.../overview-of-threat-mitigations-in-windows-10

    * I had posted a link earlier to this document while it was still being edited on Github. This information is finalized and ready for public consumption now.

    The bottom of that page covers some of the basic usage commands for the tool. But the page contains much more information regarding all of Windows 10 mitigation defence/protections such as VBS (virtualization based security), Protected Processes, and more. Also, there is an interesting comparison chart which explains similarities between EMET mitigations and Windows 10 mitigations.


    Table 5 EMET features in relation to Windows 10 features
    Link: https://technet.microsoft.com/en-us...t-features-in-relation-to-windows-10-features
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    A fantastic article with great references,excellent detail, and includes a handy comparison chart which covers Windows process mitigations and kernel memory protections comparing Windows 7 through Windows 10 (Anniversary Update + Creators Update). Also in comparison are EMET mitigations, the evolution of EMET mitigations and the development of adding these mitigations to the core of Windows 10. Solid article and a great read.


    Windows 10 Memory Protection Features
    April 24, 2017 by BrandonWilson
    Link: https://blogs.technet.microsoft.com/askpfeplat/2017/04/24/windows-10-memory-protection-features/

    Win10-mitigations.png


    1. Fonts https://technet.microsoft.com/en-us/itpro/windows/keep-secure/block-untrusted-fonts-in-enterprise
    2. Force Application Mitigation-Fonts row should show as no/red in the Windows 10 + EMET column, as the ability to configure the Untrusted Fonts mitigation for specific applications has been disabled in EMET
    3. https://support.microsoft.com/en-us/kb/2639308
    4. PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON
    5. PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON
    6. PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY
    7. ProcessSignaturePolicy
    8. ProcessSystemCallDisablePolicy
    9. From 1510
    10. https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf
    11. See UpdateProcThreadAttribute documentation for PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
    12. See UpdateProcThreadAttribute documentation for PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON
    13. See UpdateProcThreadAttribute documentation for PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON
    14. See UpdateProcThreadAttribute documentation for PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON
    15. https://blogs.technet.microsoft.com...e-mitigating-heap-corruption-vulnerabilities/
    16. https://blogs.technet.microsoft.com/srd/2009/11/20/sehop-per-process-opt-in-support-in-windows-7/
    17. https://blogs.technet.microsoft.com...se-mitigating-common-exploitation-techniques/
    18. https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf
    19. The NULL page mitigation provided by the OS (enabled by default) obsoletes the EMET NULL page mitigation, see [21]
    20. CFG must be enabled by the application and cannot be forced-on
    21. https://support.microsoft.com/en-us...rosoft-enhanced-mitigation-experience-toolkit
    22. https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/
    23. https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
    24. https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M401
    25. https://technet.microsoft.com/en-us...ion-options-for-app-related-security-policies
    26. https://technet.microsoft.com/en-us/itpro/windows/keep-secure/enterprise-certificate-pinning
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    Yes very nice article, we can see the immense security gap between Win7 and Win10 CU.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    Excellent; thanks ; i will relay this on MT :p
     
  16. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    370
    Location:
    Italy
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    This is purely not for beginners. You need to know what you are doing especially with those kind of tools, bricking your system will be easy by doing a wrong manipulation.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    @Umbra You're welcome. :)

    @imuade I find the following link to be quite a good reference: https://raw.githubusercontent.com/TheRyuu/theryuu.github.io/master/ifeo-mitigationoptions.txt

    Although that link is missing the more recent "Prefer System32" mitigation. Personally, I test first with pretty basic applications such as speedyfox.exe (just as a test example) to get accustomed to everything and see what works and what breaks. The more complex the application, the more problems that could occur. For example, enabling "Disable Win32k Calls" for speedyfox.exe results in the application not being able to run at all. So these process mitigations have to be used and tested on a case by case basis. I've also done quite a bit of process mitigation testing with Explorer++ since it can be quite powerful yet is a tiny binary and portable.

    However, I should point out, we should not mess with an already sandboxed browser such as Chrome or Edge. Chrome, for example, already makes great use of built-in operating system process mitigations. If we enabled some of these mitigations, it could break some of the built-in Chrome mitigations. Chrome enables it's mitigations during process execution already and has different mitigations for different processes Eg. broker process, GPU, renderer, etc.
     
  19. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,888
    Location:
    Europe then Asia
    i guess those needing mitigation are the internet-facing softwares (media players, pdf/doc applications, etc...)
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Something interesting is in development for the next Windows 10 major upgrade (Fall Creators Update) and available now in Insider builds.

    EDIT: To me, this appears to be managing exploit mitigations (future of EMET) via the modern Settings app.


    exploit-mitigations.jpg

    Source: https://twitter.com/dwizzzleMSFT/status/862506816025968640
     
  21. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,087
    Location:
    Toronto, Canada
    Follow up from: https://www.wilderssecurity.com/threads/process-mitigation-management-tool.393096/#post-2674377

    So naturally I had to spin up a fresh Hyper-V VM and have a peak...

    Microsoft is officially adding Exploit/Process Mitigations configuration UI to Windows Defender Security Center!

    EMET > Windows Defender (EMET is essentially being added to Windows Defender)

    Well I must say, Windows Defender / Windows 10 is slowly becoming more and more impressive lately with virtualization based security (Windows Defender Application Guard), network inspection, SmartScreen, etc. and now process mitigation configuration. Damn... bye bye security software competition.
     
  23. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    988
    Location:
    Da mean streets of Brooklyn
    I'll sort of miss that standalone but least it'll be more mannerly on a Windows/Creators machine come September.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,286
    Location:
    The etherlands
    Will be interesting to see how it compares to HmP.A or MBAE. Some used these tools in preference to EMET.
     
  25. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    807
    Seems interesting. Hope they make a guide to show what is what and which of those are suggested to be enabled for everyday usage.
     
Loading...