Status
Not open for further replies.

danb

From VoodooShield
Verified
Developer
in EMET all 3 protections must be enabled and the list of apps properly edited. EMET is like the SRP of memory.
Those users you mentioned are noobs trying to play with what they can't understand. so obviously they fail.
Cool, now I am curious if EMET will block the attack if lsass is protected. So I will run the test tonight or tomorrow. If you guys want to post exactly how you would like me to configure EMET, that will be helpful.
 
  • Like
Reactions: ZeroDay and AtlBo
D

Deleted member 178

Long time i didn't use EMET , i remember enabling all 3 protections to green state.
then you have to include lsass.exe to the list and ticking several boxes; but by doing this may botch the system. anyway you will be in a VM.
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Developer
Long time i didn't use EMET , i remember enabling all 3 protections to green state.
then you have to include lsass.exe to the list and ticking several boxes; but by doing this may botch the system. anyway you will be in a VM.
Yeah, I think it is pretty straightforward, but if anyone has any other advice before I test, please let me know!
 

simmerskool

Level 7
Verified
Malware Tester
in EMET all 3 protections must be enabled and the list of apps properly edited.
so... EMET properly configured would have blocked EB? (just curious, not challenging you or danb) and danb suggested a very few other apps too, were those enumerated. I read many but not all these posts.
 
  • Like
Reactions: AtlBo and frogboy
D

Deleted member 178

@danb old link for old version, but still valid i guess:

https://rationallyparanoid.com/articles/Microsoft-emet-3.html

interesting fact since 2012 lol

In our previous article on EMET 2.1 we used to keep a list of which applications we recommended our readers to add. However Microsoft has effectively done this work for us in their release of EMET 3.0. Pages 35 to 39 of the EMET User Guide as well as the contents of the All.xml protection profile are an excellent start as to which programs you should add. On top of those you may wish to add (and test) the following additional executables which are not included:

Windows Print Spooler1 %systemroot%\System32\spoolsv.exe
Windows LSASS1 %systemroot%\System32\lsass.exe
.....
 
D

Deleted member 178

so... EMET properly configured would have blocked EB? (just curious, not challenging you or danb) and danb suggested a very few other apps too, were those enumerated. I read many but not all these posts.
no idea, let him test it properly.

I dont believe anything except an Anti-exploit (or something with similar features) would block EB because it is an in-memory kernel exploits. which is the worst case scenario.
 

AtlBo

Level 27
Verified
Content Creator
in EMET all 3 protections must be enabled and the list of apps properly edited. EMET is like the SRP of memory.
Those users you mentioned are noobs trying to play with what they can't understand. so obviously they fail.
Is this what you mean @Umbra:

EMET Main GUI.png


Top right...SEHOP is only opt in or opt out. It doesn't offer the green option only the yellow.

That is why I feel completely comfortable running tests… I am well trained with the scientific method.
Not insinuating you are not comfortable running tests. O/C I am aware that you have extensive experience in this area. Only saying that I'm not going to run any tests myself out of respect for the scientific method. This is also why I don't formally ask anyone else to do so for me...only suggest angles on a product that a tester might consider cause for a test of their own. I don't expect anyone to do anything. I don't even hope they will do something. For this same reason, I wouldn't ask you to value the EMET test as much as I do or ask you run the test. If you see value in knowing, great. I would love to see the results.

If you would like to run the test, opt in on all the protections top right of the main gui (see pic above). To get to the pic below and add lsass.exe, click on Apps top left of the main GUI. The protections list will open, where you can add processes to protect. Click on Add Application top left of the window and add lsass.exe (C:\Windows\system32\lsass.exe). In the pic below, find lsass.exe in the list and match the protections as you see them there in that list. It's about the 10th process down the list in the pic:

Clipboard01.png
 
D

Deleted member 178

@AtlBo yep, all at "always on" if possible.

Anyway all this debate about what may block EB-DP or not is useless now, MS released a patch fixing this issue. :D
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Developer
so... EMET properly configured would have blocked EB? (just curious, not challenging you or danb) and danb suggested a very few other apps too, were those enumerated. I read many but not all these posts.
I have no idea... but I would guess 80% it would block EB if properly configured to protect lsass, and 20% it would not block it. We will find out soon, i will test this tomorrow.
 
  • Like
Reactions: AtlBo

AtlBo

Level 27
Verified
Content Creator
Anyway all this debate about what may block EB-DP or not is useless now, MS released a patch fixing this issue.
Clever and true, but as you see I have a number of them protected as a precaution, so who knows?:rolleyes: Maybe they could be exploited too?

Anyway, it's maddening. There is literally almost nothing on EMET to speak of from any source. It's a great principle for an add on protection, but is it completely useless? I don't think so, as I have seen video of blocks and witnessed a few. However, how good is it? o_O Well, I have MBAE free on another PC. It hasn't even generated a single block, excepting the malwarebytes test file I downloaded moons ago for testing to see if it's working...idk :D. For me, it's all good for laughs and at least very interesting. I 100% believe o/c in the concept of memory mitigation...as long as I can read my files and see my pics the theory and protection is good...:):D
 
Last edited:

danb

From VoodooShield
Verified
Developer
Is this what you mean @Umbra:

View attachment 157725

Top right...SEHOP is only opt in or opt out. It doesn't offer the green option only the yellow.



Not insinuating you are not comfortable running tests. O/C I am aware that you have extensive experience in this area. Only saying that I'm not going to run any tests myself out of respect for the scientific method. This is also why I don't formally ask anyone else to do so for me...only suggest angles on a product that a tester might consider cause for a test of their own. I don't expect anyone to do anything. I don't even hope they will do something. For this same reason, I wouldn't ask you to value the EMET test as much as I do or ask you run the test. If you see value in knowing, great. I would love to see the results.

If you would like to run the test, opt in on all the protections top right of the main gui (see pic above). To get to the pic below and add lsass.exe, click on Apps top left of the main GUI. The protections list will open, where you can add processes to protect. Click on Add Application top left of the window and add lsass.exe (C:\Windows\system32\lsass.exe). In the pic below, find lsass.exe in the list and match the protections as you see them there in that list. It's about the 10th process down the list in the pic:

View attachment 157726
Cool, thank you... I will test tomorrow.

BTW, is APC listed in the exploitation methods, along with DEP and the others? I cannot see the entire list because that image is cropped.

Anyway, since EB used APC, if that is an option that I can enable in EMET for lsass, then it will probably block it. If it is not listed in those exploitation methods... I bet it will not block it ;).

And Umbra did not think I knew anything about the attack ;).
 
  • Like
Reactions: AtlBo
D

Deleted member 178

Clever and true, but as you see I have a number of them protected as a precaution, so who knows?:rolleyes: Maybe they could be exploited too?
sure, EB-DP isn't the only exploit. it is why i use HMPA.

i protect the 3 vectors a normal user would be affected by.

- attack using executables/dlls/drivers/installers/scripts = Appguard + ReHIPS' application control
- attack using exploits = HMPA
- attack using browser = ReHIPS' sandbox

Networks attacks are taken care by the NAT router and the firewall. Home users, unless personally targeted , wont need too much network protection.

This is not rocket science, know from where you will be attacked, protect yourself against, job done.
 

AtlBo

Level 27
Verified
Content Creator
Dan you may be able to test with EAF enabled on your test machine. I tested each of the processes individually to see which mitigations would not break Windows or apps. However, I don't recall the specific context of the EAF fail for lsass.exe.

I was wondering the odds myself. Not so confident as you. Free things from MS can be a little bit short in the delivery on a promise I have found over the eons...I mean years.

Good luck, and I guess we will see. Don't forget to show what VS does in the video Dan...:D
 
  • Like
Reactions: Andy Ful

danb

From VoodooShield
Verified
Developer
sure, EB-DP isn't the only exploit. it is why i use HMPA.

i protect the 3 vectors a normal user would be affected by.

- attack using executables/dlls/drivers/installers/scripts = Appguard + ReHIPS' application control
- attack using exploits = HMPA
- attack using browser = ReHIPS' sandbox

Networks attacks are taken care by the NAT router and the firewall. Home users, unless personally targeted , wont need too much network protection.
That is the concern... Sure, Windows is patched for EB now, but that does nothing for the next zero day.

Keep in mind, this attack could only be designed by a handful of people (the absolute best exploit devs)... it was that effective and sophisticated.

And now that the blackhats have the code, they have a great playbook to follow. All they have to do is add an "Encrypt" tool to the DP malicious tool set, and then it is game over.
 
D

Deleted member 178

Cool, thank you... I will test tomorrow.

BTW, is APC listed in the exploitation methods, along with DEP and the others? I cannot see the entire list because that image is cropped.

Anyway, since EB used APC, if that is an option that I can enable in EMET for lsass, then it will probably block it. If it is not listed in those exploitation methods... I bet it will not block it ;).
it is why i keep saying testing some apps needing tailored setup with default setting is totally useless.

altbo said:
Don't forget to show what VS does in the video Dan...:D
we know what VS block , it is the reverse-TCP connection allowing the attacker to deploy malicious tools, it was shown on the previous video.
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Developer
Dan you may be able to test with EAF enabled on your test machine. I tested each of the processes individually to see which mitigations would not break Windows or apps. However, I don't recall the specific context of the EAF fail for lsass.exe.

I was wondering the odds myself. Not so confident as you. Free things from MS can be a little bit short in the delivery on a promise I have found over the eons...I mean years.

Good luck, and I guess we will see. Don't forget to show what VS does in the video Dan...:D
Cool, thank you for the help. Is APC listed in the exploitation methods? That is what EB used, so I need to make sure that is enabled if it is available.

I have already tested VS about 10 times, but I suppose I can test again ;).
 
  • Like
Reactions: ZeroDay and AtlBo

AtlBo

Level 27
Verified
Content Creator
BTW, is APC listed in the exploitation methods, along with DEP and the others? I cannot see the entire list because that image is cropped.
There is a check box column called ASR that did get cut off. I played hell getting anything to work with it on. I have a few Office apps that worked with it. I finally quit testing it, as I seem to recall it was breaking Windows. APC isn't in the list. Looks like that's a very bad omen for the test, but maybe another one will get it...
 
Status
Not open for further replies.