The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly

The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly

By Matt Graeber (mattifesation / SpecterOps)

Link: https://posts.specterops.io/the-eme...s3-the-good-the-bad-and-the-ugly-34d5a253f3df

 

I "found" this specterops.io article a few days back when researching another matter. Surprised this posting didn't get any follow-up comments.

Anyway, what caught my eye was this article comment about stopping the "pure vanilla" version of Casey Smith's squibblydoo regsvr32.exe bypass:

So I did just that. What Matt Graeber forgot to mention was the negative impacts of such enabling. Interesting how pen testers really don't test their suggestions under various daily user activity.

Today, I spent over two hours trying to update my Win 10 nVidia graphic drivers. All attempts to do so would fail whether via Win Update, device manger driver update, and even downloading the nVidia driver installer from their web sites. At first thought perhaps it was an issue due to the 1803 upgrade. Maybe my AV was the culprit running under 1803? Finally, "the light in my head" triggered and I remember I had set on this WDEG mitigation recently for regsvr32.exe. So I checked the Win security mitigations event log and sure enough, there were log entries stating that it was blocking nVidia .dll injection into regsvr32.exe.

I really have had it with Microsoft "Band-Aid" security mitigations of which WDEG falls into such category. At least EMET used to flash a desktop popup alert when one of its mitigations was triggered.