EMET 5.5 and Eternal Blue/Double Pulsar

[AtlBo]

I am running EMET 5.5 on W7 64, and I had previously chosen to run lsass.exe under EMET. Does anyone know if this would have blocked the EB/DP attacks?

I have looked for a really high quality list of vulnerable processes to protect with EMET, but so far haven't had much luck with finding one. I feel like I can do much more with the app.

Maybe native mitigation protections in 10 were the difference and why the exploit doesn't work on 10. Don't know, but I have suspected this might be the case since I first read about the attacks. I'd love to see a test of EMET against EB/DP if anyone finds time for one. Personally, I use DEP always on, and I have several MS apps running under the protections including lsass.exe.

 

[Deleted member 178]

Win10 has many mitigations and can protect many critical files , you have DEP indeed but also control flow guard.

 

[509322]

Does anyone know if this would have blocked the EB/DP attacks?

If code is injected into lsass.exe, that means in this case the kernel has already been compromised.

lsass.exe is simply the default target; other system processes can be targeted instead of lsass.exe. In protecting at the application level (lsass.exe), the kernel can still be exploited on an unpatched system.

There are also a number of conditions that must be present for the EB\DB attacks to succeed even on unpatched systems - a detail that appears to be either not understood or just not discussed.

The best protection is to keep Windows updated and apply Microsoft's Win 7 security updates for EB\DB or upgrade to Windows 10 Creator's Update (1703).

If you want additional exploit protections against EB\DB, then checkout HMP.A build 602 and above as they have proven that they will block the EB\DB exploits on the EternalPot honeypot.

 

[AtlBo]

Yes, I am aware that lsass.exe is just one of a number of vectors (theoretically) that could have been used in this attack. Just interested to know if EMET protection would have blocked it, since I had it enabled for lsass.exe. Not too concerned about an attack now. Mitigation protection interests me, and there isn't much documentation of the protection power of EMET or for its most effective use for Windows 7.

Thanks for the answers.

 

[Deleted member 178]

If every people upgraded to Win10 as MS "heavily requested" , no one would even care of EB-DP...

 

[509322]

@AtlBo

Check out rationally paranoid website if you have not already done so - there are two old articles about EMET.

You can find out first-hand by testing in a VM. Add processes to EMET and use a code\dll injection tool.

 

[danb]

I'd love to see a test of EMET against EB/DP if anyone finds time for one.

Now THAT is a great idea (I wish I would have thought of this before)!!! Do you secretly work for MRG or something?

The reason it is such a great idea is because this allows me to go a little further in demonstrating why it is vital that DP is blocked, without it making it appear as though I am picking on a competitor.

Umbra, you said "yes, it is for me what is DP. Once you are hit by a bullet, doesn't matter if you stop the bleeding or not, you were hit. Just avoid to be hit." here: VoodooShield ?

Great analogy... but VS is the bulletproof vest that stopped the the malicious payload DP dead in its tracks... even if EP was successful. It does not matter how many times you perform the attack... if VS is running DP will be blocked.

Sure, you can patch your system against THIS attack, but the system is still vulnerable to new zero days that have the ability to install a kernel level backdoor.

So I ran the test, and EMET did not block DP, so the system was pwned. I ran a few of the hacker tools just for a quick demo. For example, I took a screenshot of the pwned system and stole the yummychicken recipe... all sensitive data on the system was fully available in my tests since DP was running.



I do not claim that VS has a “Patented exploit prevention for endpoints”, but I have demonstrated that our mechanism that blocks malicious payloads like DP is sound, and it worked perfectly for this attack. Will someone find an attack that pwnes VS? Probably some day, but Black Cipher sure had a hell of a time finding something that could get through.

I agree that security is all about layers, and it would not hurt to have specialized exploit protection. But either way, it is my opinion that SRP and AE products should block malicious payloads spawned from exploits, at a minimum.

In all fairness, I have mentioned that a time or ten the last couple of years .

Thank you!

Edit: BTW, please feel free to skip to 2:30 in the video... EMET took a little while to load.

 

[danb]

On a funny side note... right around 5:55 in the video, I went to shutdown the EMET VM normally, but changed my mind and decided to shutdown the VM with the attacking machine instead .

 

[S3cur1ty 3nthu5145t]

Now THAT is a great idea (I wish I would have thought of this before)!!! Do you secretly work for MRG or something?

The reason it is such a great idea is because this allows me to go a little further in demonstrating why it is vital that DP is blocked, without it making it appear as though I am picking on a competitor.

Umbra, you said "yes, it is for me what is DP. Once you are hit by a bullet, doesn't matter if you stop the bleeding or not, you were hit. Just avoid to be hit." here: VoodooShield ?

Great analogy... but VS is the bulletproof vest that stopped the the malicious payload DP dead in its tracks... even if EP was successful. It does not matter how many times you perform the attack... if VS is running DP will be blocked.

Sure, you can patch your system against THIS attack, but the system is still vulnerable to new zero days that have the ability to install a kernel level backdoor.

So I ran the test, and EMET did not block DP, so the system was pwned. I ran a few of the hacker tools just for a quick demo. For example, I took a screenshot of the pwned system and stole the yummychicken recipe... all sensitive data on the system was fully available in my tests since DP was running.



I do not claim that VS has a “Patented exploit prevention for endpoints”, but I have demonstrated that our mechanism that blocks malicious payloads like DP is sound, and it worked perfectly for this attack. Will someone find an attack that pwnes VS? Probably some day, but Black Cipher sure had a hell of a time finding something that could get through.

I agree that security is all about layers, and it would not hurt to have specialized exploit protection. But either way, it is my opinion that SRP and AE products should block malicious payloads spawned from exploits, at a minimum.

In all fairness, I have mentioned that a time or ten the last couple of years .

Thank you!

Edit: BTW, please feel free to skip to 2:30 in the video... EMET took a little while to load.

First let me state that watching windows 7 and emet load was like watching paint dry in this video lol...
Secondly, to test this properly you would need to configure it like an SRP, if you look at the running processes under Running EMET tab, you will notice nothing is running in Emet. You may need to restart services and or applications for it to take effect as well. Testing these type applications like a standard security suite "at default settings" will not bring you even close to accurate results.

 

[AtlBo]

Now THAT is a great idea (I wish I would have thought of this before)!!! Do you secretly work for MRG or something?

The reason it is such a great idea is because this allows me to go a little further in demonstrating why it is vital that DP is blocked, without it making it appear as though I am picking on a competitor.

No, just been using EMET for a few years now, and noone really has tested its worth that I have been able to determine.

Thanks for the test. Couple of things about that. I run with DEP enabled full time. Also, did you click on lsass.exe to turn on the protections for the process? The first screen is just what is running on the system. If it's being protected you will see a green dot right of the process name.

Looking in KillSwitch and in Process Explorer, I noticed that activating DEP system wide in EMET doesn't affect Windows system processes or at least thats what is showing up in those programs. It is working fine for other apps. Not sure if EMET's other protections work either for Windows system processes, but I bet MS knows lol...

 

[AtlBo]

First let me state that watching windows 7 and emet load was like watching paint dry in this video lol...

Been using EMET 5.5 for a few years, and I haven't ever noticed any sort of system lag. The GUI is a little bit bulky, but I don't think I would want it any differently. Maybe Dan's machine was just configured for min hardware.

 

[S3cur1ty 3nthu5145t]

Been using EMET 5.5 for a few years, and I haven't ever noticed any sort of lag. The GUI is a little bit bulky, but I don't think I would want it any differently. Maybe Dan's machine was just configured for min hardware.

Im sure his machine just did not have enough allocated resources, was still painful though

 

[danb]

First let me state that watching windows 7 and emet load was like watching paint dry in this video lol...
Secondly, to test this properly you would need to configure it like an SRP, if you look at the running processes under Running EMET tab, you will notice nothing is running in Emet. You may need to restart services and or applications for it to take effect as well. Testing these type applications like a standard security suite "at default settings" will not bring you even close to accurate results.

Yeah, I agree, it took forever for EMET to load, sorry about that. Just imagine how long of a wait it was for me while I was testing the first time, since I did not know the outcome of the test .

If you provide me with the settings you recommend, I will test again (if we really feel that we need to). Please keep in mind that it takes a while to run this test because I will need to start with a fresh VM, install .net 4.5, install EMET, configure the settings, then run the test. If you truly believe we can adjust the settings in EMET so that it blocks this attack, I guess I can run one more test... but please understand, this is really getting old.

I am quite certain that no matter what settings we change, EMET will not block it. Hopefully MRG will test EMET... this should have been one of the first tests that I should have performed, but I did not think of doing so until AtlBo recommended it.

Also, please keep in mind, most home users do not run EMET, and if they do, odds are they probably do not configure the settings correctly.

I have installed MANY different AV products the last 18 years for my clients, and not ONCE did I change anything in the settings... pretty much NO ONE does, except for the wilders and MT users.

If you ask me, security software should properly protect the user out of the box, with all default settings. Typically, the reason why security vendors do not make the settings more aggressive out of the box is because then the software is a PITA to use. If you ask me, changing the default settings to a less aggressive posture is the absolute wrong way to fix the issue. To fix this issue properly, they should make the aggressive features more user-friendly.

 

[danb]

No, just been using EMET for a few years now, and noone really has tested its worth that I have been able to determine.

Thanks for the test. Couple of things about that. I run with DEP enabled full time. Also, did you click on lsass.exe to turn on the protections for the process? The first screen is just what is running on the system. If it's being protected you will see a green dot right of the process name.

Looking in KillSwitch and in Process Explorer, I noticed that activating DEP system wide in EMET doesn't affect Windows system processes or at least thats what is showing up in those programs. It is working fine for other apps. Not sure if EMET's other protections work either for Windows system processes, but I bet MS knows lol...

Cool, thank you as well! Please see me post above and let me know if you have any questions.

Yeah, it was the same machine that I used in all of the tests... it is just an old i3 with an SSD drive. I think I only allocated 1 or 2 gigs of RAM in the VM... but it was the same VM that I used in all of the tests (the VM at the top is the baseline VM). So yeah, it was slower, but this did not affect the outcome of the test. And yes, it was VERY painful for me as well .

 

[AtlBo]

If you provide me with the settings you recommend, I will test again (if we really feel that we need to). Please keep in mind that it takes a while to run this test because I will need to start with a fresh VM, install .net 4.5, install EMET, configure the settings, then run the test. If you truly believe we can adjust the settings in EMET so that it blocks this attack, I guess I can run one more test... but please understand, this is really getting old.

Dan, no not recommending you retest and don't want to cause you a hassle by any means. It's just that EMET is a blank GUI that does nothing if it is not configured process by process. It's a pain staking endeavor to learn, because documentation is nul for the program. I wouldn't be surprised if many enterprises are running it completely unconfigured thinking it must block malware since it's from MS.

It would be interesting to see, but I have no idea if it would block anything for lsass.exe, given that DEP doesn't appear to work for MS system apps (enabled in EMET) anyway. In three years I think I have seen about 10 blocks, all Firefox. Never determined what the cause might be, but the program never crashed or anything.

 

[danb]

Dan, no not recommending you retest and don't want to cause you a hassle by any means. It's just that EMET is a blank GUI that does nothing if it is not configured process by process. It's a pain staking endeavor to learn, because documentation is nul for the program. I wouldn't be surprised if many enterprises are running it completely unconfigured thinking it must block malware since it's from MS.

It would be interesting to see, but I have no idea if it would block anything for lsass.exe, given that DEP doesn't appear to work for MS system apps (enabled in EMET) anyway. In three years I think I have seen about 10 blocks, all Firefox. Never determined what the cause might be, but the program never crashed or anything.

Yeah, I agree, that would be interesting to see. If you guys can tell me exactly how to configure EMET, I can test again... I am just not familiar at all with EMET. The MRG report should be out soon, and hopefully EMET will be included.

Speaking of layers... a lot of the products that have been tested by EMET and White Cipher (me, hehehe ), have exploit protection built in. I am wondering why most of the products did not protect against this type of attack. Hopefully they are all aware of this issue and fix this in their software.

 

[AtlBo]

Given MRG is going to release results, here are some pics if you absolutely must go through with a test lol. You can see a config that will not break W7 for lsass.exe in the 2nd pic:

 

[danb]

Given MRG is going to release results, here are some pics if you absolutely must go through with a test lol. You can see a config that will not break W7 for lsass.exe in the 2nd pic:

View attachment 153892

View attachment 153893

Oh, I see... each vulnerable process needs to be specified individually. That being the case,it might be better to wait for the MRG report.

Wouldn't it just be easier to just to block the malicious payload (DP), so that "all" Windows processes are covered, and you do not risk borking the system? . Someone has mentioned that a time or ten .

 

[danb]

It appears this argument has reached its conclusion, sorry it was so painful (yet exciting) for everyone.

AppGuard 4.x 32/64 Bit

On a side note... if any vendor would like me to test their software with specified settings adjustments or patched mechanisms, to ensure that this type of attack is mitigated, I would be happy to do so, privately.

 

[AtlBo]

Wouldn't it just be easier to just to block the malicious payload (DP), so that "all" Windows processes are covered, and you do not risk borking the system? . Someone has mentioned that a time or ten .

Deployment of this program must be hell on earth. First every time a process is enabled for protections the system has to be tested for viablility, best with a reboot. Some of the mitigations crash Windows or programs etc., so boxes have to be unticked and tested until the system works. LOL it's worse than it sounds even if that is possible. Obviously MS put the time into matching mitigations to the OS for 8 and 10 which include them. Probably some clever tricks in there too and some straight changes over W7.

EMET is interesting if someone installs security software to put together ideas. Otherwise, protections for Office and browsers are probably useful in an enterprise setting. Attempting to fully take advantage of what EMET can do is more or less a complete joke honestly.