Using EMET to Disable EMET

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (50 minutes).

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside "protected" programs as a Dynamic Link Library (DLL), and makes various changes in order to make software exploitation expensive. If an attacker can bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit development. In this briefing we discuss protections being offered from EMET, how individually each of them can be evaded by playing around the validation code and then a generic disabling method, which applies to multiple endpoint products and sandboxing agents relying on injecting their Dynamic Link Library into host processes in order to protect them. It can be noted that Microsoft has issued a patch to address this very issue in EMET 5.5 in February 2016. EMET was designed to raise the cost of exploit development and not as a "fool proof exploit mitigation solution". Consequently, it is no surprise that attackers who have read/write capabilities within the process space of a protected program can bypass EMET by systematically defeating its mitigations. As long as their address space remains same, a complete defensive solution cannot be used to prevent exploitation.

The talk will focus on how easy is it to defeat EMET or any other Agent. How secure is any endpoint exploit prevention/detection solution, which relies on same address space validations and how to defeat them with their own checks or by circumventing and evading their validation. Moreover it will also reflect on, targeted EMET evasion i.e. when the attacker knows EMET is installed on victim machine. These methods applied on EMET can be applied on other enterprise products and were tested on many during our research.


Presenters:

  • Abdulellah Alsaheel - FireEye Inc.
    Abdulellah Alsaheel is a Security Consultant in Mandiant's Riyadh office. Mr. Alsaheel is focused on software security assessments, exploits development and malware reverse engineering. Prior to joining Mandiant, Mr. Alsaheel acted as a software developer for the National Company of Telecommunication and Information Security - NCTIS. During this time, he developed and optimized the security posture of different communication systems. Mr. Alsaheel also worked as an independent Security Consultant, developing Secure Coding Guidelines, Threat Modeling and conducting source-code reviews.
  • Raghav Pande - FireEye Inc.
    Raghav Pande works on Product Research in FireEye. He is focused on broad spectrum of Software Development, Reverse Engineering, Software Exploitation and system security. He has developed private automated analysis engines for exploit detection as well as malware analysis and in his spare time tries to strengthen them. His Research interests include working on developing detection systems, evasion research, product architecture innovation and Operating system design. On the internet he does very little blogging and goes by the handle r41p41.

Links:

Similar Presentations: