Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside "protected" programs as a Dynamic Link Library (DLL), and makes various changes in order to make software exploitation expensive. If an attacker can bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit development. In this briefing we discuss protections being offered from EMET, how individually each of them can be evaded by playing around the validation code and then a generic disabling method, which applies to multiple endpoint products and sandboxing agents relying on injecting their Dynamic Link Library into host processes in order to protect them. It can be noted that Microsoft has issued a patch to address this very issue in EMET 5.5 in February 2016. EMET was designed to raise the cost of exploit development and not as a "fool proof exploit mitigation solution". Consequently, it is no surprise that attackers who have read/write capabilities within the process space of a protected program can bypass EMET by systematically defeating its mitigations. As long as their address space remains same, a complete defensive solution cannot be used to prevent exploitation.
The talk will focus on how easy is it to defeat EMET or any other Agent. How secure is any endpoint exploit prevention/detection solution, which relies on same address space validations and how to defeat them with their own checks or by circumventing and evading their validation. Moreover it will also reflect on, targeted EMET evasion i.e. when the attacker knows EMET is installed on victim machine. These methods applied on EMET can be applied on other enterprise products and were tested on many during our research.
Abdulellah Alsaheel is a Security Consultant in Mandiant's Riyadh office. Mr.Alsaheel is focused on software security assessments, exploits development andmalware reverse engineering. Prior to joining Mandiant, Mr. Alsaheel acted asa software developer for the National Company of Telecommunication andInformation Security - NCTIS. During this time, he developed and optimized thesecurity posture of different communication systems. Mr. Alsaheel also workedas an independent Security Consultant, developing Secure Coding Guidelines,Threat Modeling and conducting source-code reviews.
Raghav Pande works on Product Research in FireEye. He is focused on broadspectrum of Software Development, Reverse Engineering, Software Exploitationand system security. He has developed private automated analysis engines forexploit detection as well as malware analysis and in his spare time tries tostrengthen them. His Research interests include working on developingdetection systems, evasion research, product architecture innovation andOperating system design. On the internet he does very little blogging and goesby the handle r41p41.