- May 31, 2017
- 1,719
Cool, now I am curious if EMET will block the attack if lsass is protected. So I will run the test tonight or tomorrow. If you guys want to post exactly how you would like me to configure EMET, that will be helpful.
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?
- Thread starter Andy Ful
- Start date
- Status
- Jun 9, 2013
- 6,720
Agreed 100%.We should always be as nice as possible towards each other. That's the primary thing of MalwareTipsSecurity, privacy, antiviruses, antiexes, exploits and vulnerabilities are secondary
- May 31, 2017
- 1,719
Yeah, I think it is pretty straightforward, but if anyone has any other advice before I test, please let me know!
- Apr 16, 2017
- 2,585
so... EMET properly configured would have blocked EB? (just curious, not challenging you or danb) and danb suggested a very few other apps too, were those enumerated. I read many but not all these posts.
@danb old link for old version, but still valid i guess:
https://rationallyparanoid.com/articles/Microsoft-emet-3.html
interesting fact since 2012 lol
https://rationallyparanoid.com/articles/Microsoft-emet-3.html
interesting fact since 2012 lol
no idea, let him test it properly.
I dont believe anything except an Anti-exploit (or something with similar features) would block EB because it is an in-memory kernel exploits. which is the worst case scenario.
- Apr 16, 2017
- 2,585
- Dec 29, 2014
- 1,716
Is this what you mean @Umbra:
Top right...SEHOP is only opt in or opt out. It doesn't offer the green option only the yellow.
Not insinuating you are not comfortable running tests. O/C I am aware that you have extensive experience in this area. Only saying that I'm not going to run any tests myself out of respect for the scientific method. This is also why I don't formally ask anyone else to do so for me...only suggest angles on a product that a tester might consider cause for a test of their own. I don't expect anyone to do anything. I don't even hope they will do something. For this same reason, I wouldn't ask you to value the EMET test as much as I do or ask you run the test. If you see value in knowing, great. I would love to see the results.
If you would like to run the test, opt in on all the protections top right of the main gui (see pic above). To get to the pic below and add lsass.exe, click on Apps top left of the main GUI. The protections list will open, where you can add processes to protect. Click on Add Application top left of the window and add lsass.exe (C:\Windows\system32\lsass.exe). In the pic below, find lsass.exe in the list and match the protections as you see them there in that list. It's about the 10th process down the list in the pic:
- May 31, 2017
- 1,719
I have no idea... but I would guess 80% it would block EB if properly configured to protect lsass, and 20% it would not block it. We will find out soon, i will test this tomorrow.
- Dec 29, 2014
- 1,716
Clever and true, but as you see I have a number of them protected as a precaution, so who knows?
Maybe they could be exploited too?Anyway, it's maddening. There is literally almost nothing on EMET to speak of from any source. It's a great principle for an add on protection, but is it completely useless? I don't think so, as I have seen video of blocks and witnessed a few. However, how good is it?
Well, I have MBAE free on another PC. It hasn't even generated a single block, excepting the malwarebytes test file I downloaded moons ago for testing to see if it's working...idk . For me, it's all good for laughs and at least very interesting. I 100% believe o/c in the concept of memory mitigation...as long as I can read my files and see my pics the theory and protection is good...
Last edited:
- May 31, 2017
- 1,719
Hmmm, interesting
. I wonder if they knew about a potential vulnerability in lsass in 2012 . Just kidding.
- May 31, 2017
- 1,719
Cool, thank you... I will test tomorrow.
BTW, is APC listed in the exploitation methods, along with DEP and the others? I cannot see the entire list because that image is cropped.
Anyway, since EB used APC, if that is an option that I can enable in EMET for lsass, then it will probably block it. If it is not listed in those exploitation methods... I bet it will not block it
.And Umbra did not think I knew anything about the attack
.sure, EB-DP isn't the only exploit. it is why i use HMPA.Clever and true, but as you see I have a number of them protected as a precaution, so who knows?
i protect the 3 vectors a normal user would be affected by.
- attack using executables/dlls/drivers/installers/scripts = Appguard + ReHIPS' application control
- attack using exploits = HMPA
- attack using browser = ReHIPS' sandbox
Networks attacks are taken care by the NAT router and the firewall. Home users, unless personally targeted , wont need too much network protection.
This is not rocket science, know from where you will be attacked, protect yourself against, job done.
- Dec 29, 2014
- 1,716
Dan you may be able to test with EAF enabled on your test machine. I tested each of the processes individually to see which mitigations would not break Windows or apps. However, I don't recall the specific context of the EAF fail for lsass.exe.
I was wondering the odds myself. Not so confident as you. Free things from MS can be a little bit short in the delivery on a promise I have found over the eons...I mean years.
Good luck, and I guess we will see. Don't forget to show what VS does in the video Dan...
I was wondering the odds myself. Not so confident as you. Free things from MS can be a little bit short in the delivery on a promise I have found over the eons...I mean years.
Good luck, and I guess we will see. Don't forget to show what VS does in the video Dan...
- May 31, 2017
- 1,719
That is the concern... Sure, Windows is patched for EB now, but that does nothing for the next zero day.
Keep in mind, this attack could only be designed by a handful of people (the absolute best exploit devs)... it was that effective and sophisticated.
And now that the blackhats have the code, they have a great playbook to follow. All they have to do is add an "Encrypt" tool to the DP malicious tool set, and then it is game over.
Cool, thank you... I will test tomorrow.
BTW, is APC listed in the exploitation methods, along with DEP and the others? I cannot see the entire list because that image is cropped.
Anyway, since EB used APC, if that is an option that I can enable in EMET for lsass, then it will probably block it. If it is not listed in those exploitation methods... I bet it will not block it
it is why i keep saying testing some apps needing tailored setup with default setting is totally useless.
we know what VS block , it is the reverse-TCP connection allowing the attacker to deploy malicious tools, it was shown on the previous video.altbo said:Don't forget to show what VS does in the video Dan...
- May 31, 2017
- 1,719
Cool, thank you for the help. Is APC listed in the exploitation methods? That is what EB used, so I need to make sure that is enabled if it is available.Dan you may be able to test with EAF enabled on your test machine. I tested each of the processes individually to see which mitigations would not break Windows or apps. However, I don't recall the specific context of the EAF fail for lsass.exe.
I was wondering the odds myself. Not so confident as you. Free things from MS can be a little bit short in the delivery on a promise I have found over the eons...I mean years.
Good luck, and I guess we will see. Don't forget to show what VS does in the video Dan...
I have already tested VS about 10 times, but I suppose I can test again
.
- Dec 29, 2014
- 1,716
There is a check box column called ASR that did get cut off. I played hell getting anything to work with it on. I have a few Office apps that worked with it. I finally quit testing it, as I seem to recall it was breaking Windows. APC isn't in the list. Looks like that's a very bad omen for the test, but maybe another one will get it...
- Status
Similar threads
